CVE-2026-45281

Analyzed Analyzed - Analysis Complete

Authorization Bypass in Nextcloud Server Calendar

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-01

Last Modified

2026-06-03

Generated

2026-06-22

AI Q&A

2026-06-01

EPSS Evaluated

2026-06-20

NVD

CVE-2026-45281

EUVD

EUVD-2026-33706

Affected Vendors & Products

Vendor	Product	Version / Range
nextcloud	nextcloud_server	From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud	nextcloud_server	From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud	nextcloud_server	From 29.0.0 (inc) to 29.0.16.16 (exc)
nextcloud	nextcloud_server	From 30.0.0 (inc) to 30.0.17.9 (exc)
nextcloud	nextcloud_server	From 31.0.0 (inc) to 31.0.14.5 (exc)
nextcloud	nextcloud_server	From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud	nextcloud_server	From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud	nextcloud_server	From 25.0.0 (inc) to 25.0.13.29 (exc)
nextcloud	nextcloud_server	From 26.0.0 (inc) to 26.0.13.26 (exc)
nextcloud	nextcloud_server	From 27.0.0 (inc) to 27.1.11.26 (exc)
nextcloud	nextcloud_server	From 28.0.0 (inc) to 28.0.14.17 (exc)
nextcloud	nextcloud_server	From 21.0.0 (inc) to 21.0.9.23 (exc)
nextcloud	nextcloud_server	From 22.0.0 (inc) to 22.2.10.39 (exc)
nextcloud	nextcloud_server	From 23.0.0 (inc) to 23.0.12.35 (exc)
nextcloud	nextcloud_server	From 24.0.0 (inc) to 24.0.12.34 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-639	The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

Compliance Impact

The vulnerability allows an authenticated attacker to gain full access to another user's calendar, enabling them to view and modify calendar data due to improper authorization controls.

This unauthorized access to personal or sensitive calendar information could lead to violations of data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal and sensitive data.

Therefore, the vulnerability poses a risk to compliance with these standards by potentially exposing confidential user information without proper authorization.

Executive Summary

CVE-2026-45281 is a high-severity vulnerability in Nextcloud Server and Enterprise Server that allows an authenticated attacker to gain full access to another user's calendar.

The attacker must know the other user's principal URL and exploit improper authorization controls in the backend of the calendar application to send a request that grants them full access.

This means the attacker can view and modify the victim's calendar data without proper permission.

Impact Analysis

This vulnerability can lead to unauthorized access and modification of your calendar data by an authenticated attacker.

Such unauthorized access compromises the confidentiality and integrity of your calendar information, potentially exposing sensitive scheduling details or allowing malicious changes.

The CVSS score of 8.1 reflects a high risk, emphasizing the significant impact on confidentiality and integrity.

Detection Guidance

This vulnerability involves an authenticated attacker sending requests with knowledge of other users' principal URLs to gain unauthorized access to their calendars. Detection can focus on monitoring for unusual or unauthorized CalDAV requests targeting calendar endpoints.

As a temporary workaround, it is recommended to check for suspicious access patterns to calendar delegation endpoints or to inspect the oc_dav_cal_proxy table for unexpected entries that might indicate exploitation attempts.

Specific commands are not provided in the available resources, but administrators can monitor web server logs for unusual authenticated requests to calendar-related URLs or query the database table oc_dav_cal_proxy for anomalies.

Mitigation Strategies

The primary mitigation is to upgrade Nextcloud Server to version 33.0.3 or 32.0.9, or to upgrade Nextcloud Enterprise Server to one of the patched versions such as 33.0.3, 32.0.9, 31.0.14.5, or other listed patched releases.

If immediate patching is not possible, a temporary workaround includes blocking access to specific calendar delegation endpoints and clearing the oc_dav_cal_proxy table to prevent unauthorized calendar access.

Hi! I’m here to help you understand CVE-2026-45281. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-45281

Authorization Bypass in Nextcloud Server Calendar

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart