CVE-2026-45286
User Enumeration via Calendar Attendee Suggestions in Nextcloud
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | calendar | From 5.5.13 (inc) to 5.5.17 (exc) |
| nextcloud | calendar | From 6.2.0 (inc) to 6.2.3 (exc) |
| nextcloud | calendar | From 5.5.13 (inc) |
| nextcloud | calendar | From 6.2.0 (inc) |
| nextcloud | nextcloud | From 5.5.13 (inc) to 5.5.17 (exc) |
| nextcloud | nextcloud | From 6.2.0 (inc) to 6.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45286 is a vulnerability in the Nextcloud Calendar app affecting versions 5.5.13 to before 5.5.17 and 6.2.0 to before 6.2.3. An authenticated user can exploit the attendee suggestion endpoint to enumerate other users on the same Nextcloud instance. This happens because the sharing restrictions that normally apply to other endpoints do not work properly on this endpoint, allowing unauthorized access to user information.
The vulnerability allows users to bypass privacy controls and see individuals from other groups they should not have access to, due to the autocomplete feature displaying all users regardless of group restrictions or Share-API settings.
How can this vulnerability impact me? :
This vulnerability primarily impacts the confidentiality of user information within a Nextcloud instance. An attacker with authenticated access can enumerate and discover user identities that should be hidden due to group or sharing restrictions.
This exposure of sensitive user identifiers can lead to privacy violations and unauthorized disclosure of user data. It may also undermine trust in the platform's ability to enforce access controls and protect user privacy.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability poses a significant data protection risk by allowing unauthorized access to user information that should be restricted. Such unauthorized disclosure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Because the vulnerability bypasses sharing and privacy settings, it undermines the principle of data minimization and confidentiality mandated by these regulations, potentially resulting in legal and regulatory consequences for affected organizations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Calendar app's attendee suggestion endpoint to see if it allows an authenticated user to enumerate other users on the same Nextcloud instance, bypassing sharing restrictions.
A practical approach is to authenticate as a regular user and attempt to use the Calendar app's autocomplete or attendee suggestion feature to list users beyond your permitted groups or sharing scope.
Specific commands are not provided in the available resources, but you can use tools like curl or Postman to send authenticated requests to the Calendar app's attendee suggestion endpoint and observe if user enumeration is possible.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Nextcloud Calendar app to version 5.5.17 or 6.2.3 or later, where the vulnerability has been patched.
If upgrading immediately is not possible, a recommended workaround is to disable the Calendar app to prevent exploitation of the user enumeration vulnerability.