Skip to main content

Nextcloud Calendar CVE-2026-45286

| EUVDEUVD-2026-33711 MEDIUM
Information Exposure (CWE-200)
2026-06-01 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:31 vuln.today
Analysis Generated
Jun 01, 2026 - 19:31 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.

AnalysisAI

User enumeration via Nextcloud Calendar's attendee suggestion endpoint affects authenticated users on versions 5.5.13-5.5.16 and 6.2.0-6.2.2. The searchAttendee controller method in ContactController.php called the contacts manager search API without passing the instance's configured sharing restriction parameters - meaning enumeration-limiting settings (shareapi_allow_share_dialog_user_enumeration, shareapi_only_share_with_group_members, group-scoped restrictions) enforced on all other sharing endpoints were silently bypassed here. An authenticated low-privilege attacker can probe the endpoint with partial name or email strings to reconstruct the full user directory, disclosing usernames and email addresses that administrators had intentionally restricted. No public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV not listed).

Technical ContextAI

The vulnerable code resides in lib/Controller/ContactController.php within the Nextcloud Calendar application (a separate installable app on top of the Nextcloud platform). Prior to the fix, searchAttendee() invoked $this->contactsManager->search($search, ['FN', 'EMAIL'], ['enumeration' => true]) - hardcoding enumeration: true and omitting the full set of sharing API config checks. The fix injects IConfig and IGroupManager dependencies and reads six core configuration keys (shareapi_allow_share_dialog_user_enumeration, shareapi_only_share_with_group_members, shareapi_restrict_user_enumeration_to_group, shareapi_restrict_user_enumeration_full_match, and related sub-settings) before filtering results, mirroring the logic applied to the main sharing dialog. The root cause class is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): a privileged access-control policy existed and was enforced elsewhere, but was not applied to this endpoint, creating an inconsistency that leaks data. The CPE cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:* reflects the Nextcloud security advisory namespace rather than a narrowed product CPE; the precise affected artifact is the nextcloud/calendar composer package.

RemediationAI

Vendor-released patches are available: upgrade Nextcloud Calendar to version 5.5.17 (for the 5.x branch) or 6.2.3 (for the 6.x branch). The fix is implemented in PR #8197 (https://github.com/nextcloud/calendar/pull/8197), which has been merged and released. Administrators should update the Calendar app via the Nextcloud App Store or Composer. If immediate upgrade is not feasible, a compensating control is to disable the Nextcloud Calendar app entirely until patching is possible - this removes the vulnerable endpoint at the cost of calendar functionality for all users. Alternatively, if the organization's Nextcloud instance does not rely on user enumeration restrictions (i.e., shareapi_allow_share_dialog_user_enumeration is already set to 'yes' by policy), the practical confidentiality impact is negligible and the patch can be scheduled for the next maintenance window without emergency urgency. Restricting network access to the Nextcloud instance to trusted users only would reduce exposure but is not a targeted mitigiation. Vendor advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-45286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy