CVE-2026-45281: Nextcloud Calendar Authorization Bypass – Patched in 32.0.9 and 33.0.3
Nextcloud Server contains an authorization flaw in its calendar functionality that allows authenticated attackers to access other users' calendars if they know the target's principal URL. An attacker with valid Nextcloud credentials can exploit improper access controls to view and modify calendars belonging to other users, effectively bypassing permission boundaries. The vulnerability requires prior knowledge of another user's identifier and valid authentication to the Nextcloud instance.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from inadequate authorization checks in Nextcloud Server's calendar backend (CWE-639: Authorization through User-Controlled Key). The flaw affects versions 32.0.0–32.0.8 and 33.0.0–33.0.2. When a calendar access request is made with knowledge of a target user's principal URL, the backend fails to properly verify that the requesting user has legitimate access rights to that calendar. The authorization logic does not sufficiently validate the relationship between the requester and the calendar resource, allowing privilege escalation within the same Nextcloud instance. Exploitation requires valid authentication credentials but no elevated privileges.
Business impact
Organizations running vulnerable Nextcloud instances face unauthorized calendar disclosure and tampering. This enables data exfiltration of sensitive scheduling information, meeting details, and personal plans, as well as calendar manipulation that could disrupt organizational activities or enable social engineering through false meeting invitations. For enterprises using Nextcloud as a core collaboration platform, this represents a confidentiality and integrity breach affecting any user whose calendar is targeted. Compliance implications may arise if calendar data includes health, financial, or other protected information.
Affected systems
Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2 are vulnerable. Nextcloud Enterprise Server versions prior to: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, and 21.0.9.23 are also affected. Deployments of Community or Enterprise editions at any of these versions require patching. Self-hosted instances and managed Nextcloud services should both verify their version numbers and patch status immediately.
Exploitability
Exploitation requires valid Nextcloud user credentials and knowledge of a target user's principal URL (a parseable identifier for the calendar endpoint). The attack vector is network-based with low attack complexity—no special conditions or tricks are needed beyond knowing the target's identifier. The CVSS score of 8.1 (HIGH severity) reflects the high impact on confidentiality and integrity paired with moderate barriers to exploitation (authentication requirement). This is not a zero-day or remote code execution, but represents a meaningful privilege-escalation risk for any authenticated user in the system who discovers or infers another user's principal URL.
Remediation
Upgrade Nextcloud Server to version 32.0.9 or 33.0.3 immediately. For Nextcloud Enterprise Server, apply the vendor's recommended version for your current branch: 33.0.3, 32.0.9, or the appropriate patch level for versions 21 through 31. Verify the upgrade by checking the Nextcloud administration panel for the installed version. Test calendar access controls post-upgrade to confirm that users can no longer access calendars outside their permission scope. Review audit logs for any unauthorized calendar access attempts during the vulnerability window.
Patch guidance
Patches are available in the versions listed above. Nextcloud provides upgrades through its admin console or via direct download from nextcloud.com. For production environments, test patches in a staging instance first to ensure compatibility with custom calendar integrations or apps. The upgrade path is straightforward for most deployments; however, large instances should plan maintenance windows to minimize disruption. Verify against the official Nextcloud security advisory for your specific version to confirm the exact patch availability and any pre-upgrade steps.
Detection guidance
Review Nextcloud access logs for calendar requests originating from users accessing principals (calendar URLs) that do not belong to them. Look for HTTP requests to `/remote.php/dav/principals/` or `/remote.php/dav/calendars/` that include a different user's identifier in the request path than the authenticated user making the request. Enable enhanced logging in Nextcloud's configuration to capture calendar API interactions. Check for suspicious patterns such as rapid enumeration of principal URLs or repeated 403/401 responses followed by successful 200 responses, which may indicate an attacker discovering valid calendar principals. Correlate this with user login patterns to identify whether compromised or rogue accounts are performing reconnaissance.
Why prioritize this
This vulnerability merits high priority due to its direct impact on user privacy and data integrity, combined with ease of exploitation by any authenticated user. Organizations should prioritize patching before external actors discover the vulnerability in public instances. The requirement for authentication raises the bar slightly but does not eliminate risk, particularly in deployments with weak password policies, shared accounts, or where users have been compromised through other means. The confidentiality and integrity impact (both HIGH in CVSS) affecting calendar data—often treated as lower-sensitivity than email or documents—may cause organizations to underestimate urgency, but calendar information frequently contains sensitive organizational planning and personal scheduling that warrants protection.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: (1) Network-based attack vector requiring no physical access; (2) Low attack complexity—an attacker simply needs valid credentials and a target's principal URL; (3) Required authentication (PR:L) as a limiting factor; (4) Unchanged scope—the attacker operates within the same Nextcloud instance; (5) High confidentiality impact via unauthorized calendar viewing; (6) High integrity impact via unauthorized calendar modification; (7) No availability impact. The score appropriately captures the balance between the ease of exploitation (once authenticated) and the significant privacy/integrity risks, warranting urgent patching but not emergency incident-response-level priority unless the instance is exposed to untrusted users.
Frequently asked questions
Do I need to be an administrator to exploit this vulnerability?
No. Any authenticated Nextcloud user—including non-privileged user accounts—can exploit this flaw if they know or guess another user's principal URL. Administrative access is not required, which means the attack surface includes all user accounts in the system.
How would an attacker discover another user's principal URL?
Principal URLs often follow predictable patterns based on usernames (e.g., `/remote.php/dav/principals/users/[username]/`). An attacker can enumerate common usernames, observe URLs in shared documents or email headers, or infer patterns from organizational naming conventions. Some instances may also expose this information through directory listings or public APIs.
Does patching require downtime?
Nextcloud updates can typically be applied with minimal disruption in modern deployments. Most organizations can perform updates during off-peak hours or via blue-green deployment strategies. However, you should always test in a staging environment first and plan for potential calendar service interruption during the upgrade.
Is this vulnerability being actively exploited in the wild?
As of the vulnerability publication date, this vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation has been documented. However, given its ease of exploitation by any authenticated user, organizations should not delay patching while waiting for evidence of real-world attacks.
This analysis is based on the official CVE record and vendor advisory as of the publication date. Organizations should verify patch availability and compatibility with their specific Nextcloud deployment before applying updates. The information provided is for informational purposes and does not constitute security advice tailored to your environment. Consult Nextcloud's official security advisories and your own security team for deployment-specific guidance. No proof-of-concept exploit code or weaponization guidance is provided herein. This vulnerability affects Nextcloud Server and Nextcloud Enterprise Server; users should confirm their edition and version before proceeding with remediation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45810MEDIUMNextcloud Comment Authorization Bypass (CVSS 6.8)
- CVE-2025-14772HIGHABB T-MAC Plus Authorization Bypass (CVSS 8.8)
- CVE-2026-41084HIGHApache Airflow Task Instances API Authorization Bypass
- CVE-2026-46414HIGHMicrosoft UFO WebSocket Authentication Bypass and Role Spoofing
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance