CVE-2026-45286: Nextcloud Calendar User Enumeration via Attendee Endpoint
An authenticated user on a Nextcloud instance can discover other users' identities by abusing the Calendar app's attendee-suggestion feature. The vulnerability exists because this endpoint bypasses the access controls that Nextcloud applies elsewhere. An attacker already logged into the system can systematically enumerate valid usernames, potentially laying groundwork for targeted attacks like password spraying or social engineering. The flaw affects Nextcloud versions 5.5.13 through 5.5.16 and 6.2.0 through 6.2.2.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The Calendar application in Nextcloud contains an information disclosure flaw stemming from improper enforcement of sharing restrictions on the attendee suggestion endpoint. When a user queries this endpoint to find potential meeting attendees, the system returns user identity information without verifying whether the requesting user should have visibility into those accounts according to the instance's sharing policy. This bypasses the access control model that guards other endpoints. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and requires prior authentication to exploit.
Business impact
User enumeration enables reconnaissance for subsequent attacks. An internal attacker or compromised low-privilege account can discover the full roster of users on the system, facilitating targeted phishing, credential stuffing, or account takeover attempts. Organizations relying on user identity obscurity as a security layer—such as those using obscure usernames to reduce attack surface—lose that protection. The exposure is limited to authenticated users, reducing risk for most deployments, but internal threats or supply-chain compromises become more dangerous.
Affected systems
Nextcloud Calendar is vulnerable in versions 5.5.13–5.5.16 (inclusive) and 6.2.0–6.2.2 (inclusive). Organizations running Nextcloud with the Calendar app enabled in these version ranges are at risk. Both on-premises and cloud-hosted Nextcloud instances are affected if they have not updated to the patched versions (5.5.17 or 6.2.3).
Exploitability
Exploitation requires valid Nextcloud credentials; no unauthenticated attack is possible. Once authenticated, an attacker can make repeated requests to the attendee-suggestion endpoint with varying query parameters to systematically extract usernames. The attack is straightforward to automate and leaves minimal forensic traces beyond access logs. The barrier to entry is authentication, not technical sophistication, making this exploitable by insiders or account holders with weak privileges.
Remediation
Upgrade affected Nextcloud instances to version 5.5.17 or later (for the 5.5.x branch) or version 6.2.3 or later (for the 6.2.x branch). Verify the patched version against official Nextcloud release notes and security advisories before deployment. No configuration workaround is available; patching is mandatory.
Patch guidance
1. Review your current Nextcloud version using the administration panel or command-line tools. 2. Back up the database and file system before upgrading. 3. If running 5.5.x, upgrade to 5.5.17 or later; if running 6.2.x, upgrade to 6.2.3 or later. 4. Test Calendar functionality in a staging environment to confirm compatibility with your deployment. 5. Monitor Nextcloud logs after patching for any anomalies. Verify the patch version against the official Nextcloud security advisory to confirm the fix is included.
Detection guidance
Monitor Calendar app access logs for unusual patterns in attendee-suggestion endpoint requests, particularly repeated queries with systematic parameter variations. Look for spikes in API calls from a single user account over short time windows. Implement rate limiting on the Calendar endpoint to slow brute-force enumeration attempts. Enable audit logging for API calls if your Nextcloud instance supports it, and review logs for reconnaissance-like activity from low-privilege or recently created accounts.
Why prioritize this
While CVSS 4.3 (Medium) reflects the requirement for authentication, user enumeration is a foundational reconnaissance step that enables follow-on attacks. Organizations should prioritize this patch alongside other medium-severity flaws, but treat it as less urgent than unauthenticated or high-impact vulnerabilities. The patch is straightforward and low-risk, making it suitable for standard maintenance windows.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects limited scope: the vulnerability requires prior authentication (PR:L), affects only confidentiality (C:L) with no integrity or availability impact, and operates over the network with low complexity. The score appropriately captures that the threat is real but constrained. However, organizations should weigh contextual factors: insider threat risk, strength of access controls, and the strategic value of user identity information in your environment may warrant treating this as higher priority locally.
Frequently asked questions
Can an attacker enumerate users without a valid Nextcloud account?
No. The vulnerability requires prior authentication. An attacker must have valid credentials—either through compromise, insider access, or a weak account created by the organization. Unauthenticated enumeration is not possible.
Does this flaw expose user passwords or other sensitive data beyond usernames?
No. The endpoint returns user identity information (usernames/email addresses used in suggestions), not passwords, personal data, or system configuration. The impact is limited to disclosure of who exists on the system.
Are versions 5.5.17, 6.2.3, and newer fully patched?
Yes, according to the vendor advisory, these versions include the fix. Verify the exact patch version in your upgrade confirmation and cross-reference it against Nextcloud's official security advisory to confirm the remediation was applied.
If we disable the Calendar app, are we protected?
Disabling the Calendar app would prevent exploitation of this specific flaw. However, disabling entire applications is a heavy-handed workaround; upgrading to a patched version is the recommended approach.
This analysis is based on published vulnerability data as of the modification date. Organizations should verify patch availability and compatibility against official Nextcloud security advisories and release notes. CVSS scores are provided by the vendor and represent a standardized assessment; your organization's risk may differ based on deployment architecture, threat model, and access controls. No exploit code or detailed attack methodology is provided. Organizations should conduct internal testing before applying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45277LOWNextcloud Approval Information Disclosure Vulnerability
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-28511MEDIUMeLabFTW Information Disclosure – Title Exposure via Cross-Scope Search
- CVE-2026-36602MEDIUMMercusys AC12G Kernel Memory Disclosure via UPnP
- CVE-2026-36615MEDIUMMercusys AC12G (EU) Unauthenticated Information Disclosure via /agileconfigreset Endpoint