4.3
CVE-2026-45286
- EPSS 0.28%
- Veröffentlicht 01.06.2026 16:59:36
- Zuletzt bearbeitet 03.06.2026 20:35:59
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint
Calendar app leaked user identifiers via attendee suggestion endpoint
Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
Mögliche Gegenmaßnahme
Calendar: * Disable Calendar app
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VulnDex Vulnerability Enrichment
Weitere Schwachstelleninformationen
SystemNextcloud App
≫
Produkt
Calendar
Version
>= 5.5.13, < 5.5.17
Version
>= 6.2.0, < 6.2.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.196 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2
https://github.com/nextcloud/calendar/issues/7971
https://github.com/nextcloud/calendar/pull/8197
https://hackerone.com/reports/3540663
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2