Description
Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
Published: 2026-06-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated Nextcloud user to retrieve a list of other user identifiers through the Calendar app’s attendee suggestion API. This is an information‑disclosure flaw (CWE‑200) that enables enumeration of all users on the same Nextcloud instance, potentially giving an attacker insight into the user base and facilitating further social‑engineering or targeted attacks. The flaw does not provide direct access to user data or configuration but exposes enough information to be exploited in lateral movement or phishing campaigns.

Affected Systems

Nextcloud Calendar app, versions 5.5.13 through 5.5.16 and 6.2.0 through 6.2.2. The issue was fixed in version 5.5.17 and in 6.2.3. No other versions are known to be affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, reflecting that the attacker must be authenticated to use the endpoint. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting lower likelihood of widespread exploitation. However, because the flaw allows enumeration of user identities on the same instance, it poses a meaningful threat for privileged or compromised accounts, particularly in environments with many users or where user data is sensitive.

Generated by OpenCVE AI on June 1, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud to version 5.5.17 or later, or 6.2.3 or later, to receive the official fix that blocks enumeration via the attendee suggestion endpoint.
  • If an upgrade cannot be performed immediately, restrict or disable the attendee suggestion API for untrusted users and enforce stricter role permissions for calendar functions.
  • Review and tighten Nextcloud's sharing and access controls, ensuring that restricted sharing settings are applied uniformly across all endpoints, including the calendar app.

Generated by OpenCVE AI on June 1, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
Title Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:13:25.363Z

Reserved: 2026-05-11T20:14:43.200Z

Link: CVE-2026-45286

cve-icon Vulnrichment

Updated: 2026-06-01T19:13:04.269Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T19:16:50.957

Modified: 2026-06-02T14:00:31.067

Link: CVE-2026-45286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:45:25Z

Weaknesses