Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23
Published: 2026-06-01
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authorization flaw in Nextcloud Server that allows an authenticated attacker who knows another user’s principal URL to capture full access to that user’s calendar. By exploiting this flaw, the attacker can view and modify calendar events, compromising confidentiality and integrity. The flaw is a classic example of CWE‑639, an authorization bypass that permits a user to gain privileges beyond those granted.

Affected Systems

The flaw affects Nextcloud Server releases from 32.0.0 up to, but not including, 32.0.9, and from 33.0.0 up to, but not including, 33.0.3. The same issue is present in Nextcloud Enterprise Server releases 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, and 21.0.9.23. Only patched versions 32.0.9/33.0.3 and the corresponding enterprise releases address the issue.

Risk and Exploitability

With a CVSS base score of 8.1, the vulnerability is classified as high severity. Exploit probability is not available but the lack of presence in the CISA KEV catalog suggests no widespread exploitation has been observed. The attack requires the attacker to be an authenticated user, possess knowledge of a target principal URL, and send a carefully crafted group-member-set update request. While no remote code execution capabilities are disclosed, the ability to modify calendar data and impersonate other users poses a significant threat to confidentiality and integrity within an organization.

Generated by OpenCVE AI on June 1, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Nextcloud Server patch to version 33.0.3 (or 32.0.9 for non‑enterprise) or the applicable Enterprise Server release to remove the authorization bypass.
  • Restrict the ability to modify group membership and calendar permissions to only trusted administrators; audit and enforce least‑privilege for group operations.
  • Enable monitoring of calendar event changes and review logs for anomalous access; this helps detect any unauthorized modifications while awaiting a patch if an upgrade cannot be applied instantly.

Generated by OpenCVE AI on June 1, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23
Title Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:22:51.714Z

Reserved: 2026-05-11T18:41:13.157Z

Link: CVE-2026-45281

cve-icon Vulnrichment

Updated: 2026-06-01T19:22:47.816Z

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:50.193

Modified: 2026-06-01T19:16:50.193

Link: CVE-2026-45281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:45:25Z

Weaknesses