4.3

CVE-2026-45286

Exploit

Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint

Calendar app leaked user identifiers via attendee suggestion endpoint

Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
Mögliche Gegenmaßnahme
Calendar: * Disable Calendar app
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudCalendar Version >= 5.5.13 < 5.5.17
NextcloudCalendar Version >= 6.2.0 < 6.2.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Calendar
Version >= 5.5.13, < 5.5.17
Version >= 6.2.0, < 6.2.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.196
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2
Vendor Advisory
Mitigation
https://github.com/nextcloud/calendar/issues/7971
Patch
Exploit
Issue Tracking
https://github.com/nextcloud/calendar/pull/8197
Patch
Issue Tracking
https://hackerone.com/reports/3540663
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2
Third Party Advisory