CVE-2026-45286
MEDIUMNextcloud Calendar 5.5.13-5.5.16 and 6.2.0-6.2.2 - Authenticated User Enumeration via Attendee Suggestion Endpoint
Title source: llmDescription
Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
References (4)
Core 4
Core References
Issue Tracking
https://github.com/nextcloud/calendar/issues/7971
Issue Tracking
https://github.com/nextcloud/calendar/pull/8197
Vendor Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2
Third Party Advisory
https://hackerone.com/reports/3540663
Scores
CVSS v3
4.3
EPSS
0.0027
EPSS Percentile
17.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
nextcloud/calendar
5.5.13 - 5.5.17
Published
Jun 01, 2026
Tracked Since
Jun 02, 2026