CVE-2026-45281 Overview
CVE-2026-45281 is a high-severity authorization flaw in Nextcloud Server affecting the calendar backend. An authenticated attacker who knows another user's principal URL can send a crafted request to gain full access to that user's calendar. The flaw stems from improper authorization controls [CWE-639], allowing both read and modify operations on another user's calendar data.
The vulnerability affects Nextcloud Server versions 32.0.0 to before 32.0.9 and 33.0.0 to before 33.0.3, plus a wide range of Nextcloud Enterprise Server releases. Successful exploitation compromises calendar confidentiality and integrity across multi-tenant deployments.
Critical Impact
Authenticated users can view and modify the calendars of other Nextcloud users, exposing meeting details, attendees, and scheduling data while enabling tampering with appointment records.
Affected Products
- Nextcloud Server 32.0.0 through versions before 32.0.9
- Nextcloud Server 33.0.0 through versions before 33.0.3
- Nextcloud Enterprise Server versions 21.0.x through 33.0.x prior to listed fixed builds
Discovery Timeline
- 2026-06-01 - CVE-2026-45281 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45281
Vulnerability Analysis
The vulnerability resides in the calendar backend of Nextcloud Server. Authorization checks fail to verify that the requesting user owns or has been granted access to the calendar resource identified by the principal URL. The flaw is classified as [CWE-639] Authorization Bypass Through User-Controlled Key, an Insecure Direct Object Reference pattern.
The attacker must hold valid credentials on the Nextcloud instance. With another user's principal URL, the attacker issues calendar requests that the backend processes without enforcing the correct ownership check. The result is full read and write access to the target calendar, including event creation, modification, and deletion.
The network-reachable attack surface combined with low complexity and only single-user privilege requirements makes the issue practical in any multi-user Nextcloud deployment, including enterprise SaaS-style hosting environments.
Root Cause
The root cause is missing or insufficient ownership validation in the CalDAV calendar backend. The principal URL, which references the calendar owner, is trusted as supplied by the requester rather than cross-checked against the authenticated session identity. This is a classic Insecure Direct Object Reference pattern.
Attack Vector
An attacker authenticates to the Nextcloud instance and discovers or guesses a target user's principal URL. The attacker then sends CalDAV requests targeting that principal URL. The backend serves and accepts modifications without enforcing that the authenticated session matches the calendar owner or has a valid share.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-hrrv-mp25-26vv and the upstream pull request #59962 for technical specifics of the fix.
Detection Methods for CVE-2026-45281
Indicators of Compromise
- CalDAV or DAV requests from one authenticated user account targeting principal URLs belonging to another user (for example /remote.php/dav/calendars/<other_user>/).
- Unexpected PROPFIND, REPORT, PUT, or DELETE operations against calendar collections that do not match the requester's account.
- Calendar event creation, modification, or deletion events not initiated by the calendar owner in Nextcloud audit logs.
Detection Strategies
- Correlate the authenticated user identifier in the session with the principal URL path segment in each DAV request and alert on mismatches without an established share relationship.
- Baseline normal per-user CalDAV request patterns and flag account behaviour that suddenly enumerates or accesses multiple foreign principal paths.
- Review Nextcloud audit.log and webserver access logs for 200/207 responses on calendar paths that cross user boundaries.
Monitoring Recommendations
- Enable the Nextcloud admin_audit app to capture calendar read and write operations for forensic review.
- Forward webserver and Nextcloud application logs to a centralized log platform and retain at least 90 days of CalDAV activity.
- Alert on any non-administrative account accessing more than a small threshold of distinct principal URLs within a short time window.
How to Mitigate CVE-2026-45281
Immediate Actions Required
- Upgrade Nextcloud Server to 33.0.3 or 32.0.9 as soon as possible.
- For Nextcloud Enterprise Server, upgrade to one of the fixed builds: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23.
- Audit recent calendar activity for cross-user access patterns and rotate credentials for any account suspected of misuse.
Patch Information
The fix is delivered through the upstream commit referenced in Nextcloud server pull request #59962, which corrects the authorization check in the calendar backend. Full advisory details are available in GHSA-hrrv-mp25-26vv and the associated HackerOne report #3545964.
Workarounds
- No vendor-supplied workaround exists; upgrading is the only supported remediation.
- As a temporary risk-reduction measure, restrict CalDAV endpoint access at the reverse proxy to trusted networks or authenticated administrators until patching is complete.
- Disable the calendar app for non-essential users until the upgrade is applied if exposure cannot be reduced at the network layer.
# Example upgrade using the Nextcloud updater CLI
sudo -u www-data php /var/www/nextcloud/updater/updater.phar
sudo -u www-data php /var/www/nextcloud/occ upgrade
sudo -u www-data php /var/www/nextcloud/occ status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
