CVE-2026-45286 Overview
CVE-2026-45286 is an information disclosure vulnerability in the Nextcloud Calendar application. The flaw allows an authenticated user to enumerate other users on the same Nextcloud instance through the Calendar app's attendee suggestion endpoint. Sharing restrictions enforced on other endpoints are not applied to this code path, exposing user identities that should remain hidden. The vulnerability affects Nextcloud Calendar versions 5.5.13 through 5.5.16 and 6.2.0 through 6.2.2. Nextcloud addressed the issue in versions 5.5.17 and 6.2.3.
Critical Impact
Authenticated attackers can bypass sharing restrictions to enumerate user accounts on a Nextcloud instance, enabling targeted phishing and account-targeting attacks.
Affected Products
- Nextcloud Calendar versions 5.5.13 to 5.5.16
- Nextcloud Calendar versions 6.2.0 to 6.2.2
- Nextcloud instances with the Calendar app enabled and sharing restrictions configured
Discovery Timeline
- 2026-06-01 - CVE-2026-45286 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45286
Vulnerability Analysis
The vulnerability resides in the Nextcloud Calendar app's endpoint that suggests attendees when creating or editing calendar events. The endpoint accepts a search query from an authenticated user and returns matching accounts from the instance's user directory. Administrators can configure Nextcloud to restrict autocomplete and user visibility through sharing settings, limiting which users can be discovered by others. These restrictions are honored by core sharing endpoints but were not applied to the attendee suggestion endpoint in the affected Calendar versions.
An authenticated attacker can query the endpoint repeatedly to enumerate accounts that should be hidden by sharing policy. This breaks the confidentiality boundary administrators expect from sharing restrictions and provides reconnaissance for follow-on attacks. The vulnerability is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Root Cause
The attendee suggestion endpoint queried the user backend directly without applying the sharing restriction checks used elsewhere in Nextcloud. The fix introduced in pull request #8197 adds the missing authorization logic so the endpoint honors the same restrictions as other user search interfaces.
Attack Vector
Exploitation requires a valid authenticated session on the target Nextcloud instance. The attacker issues HTTP requests to the Calendar attendee suggestion endpoint with varying search terms and parses the responses to enumerate user identifiers, display names, and email addresses. No user interaction from victims is required, and no special privileges beyond a standard account are necessary.
No verified proof-of-concept code is published. See the GitHub Security Advisory GHSA-r697-74m9-gvf2 and the HackerOne Report #3540663 for technical details.
Detection Methods for CVE-2026-45286
Indicators of Compromise
- Repeated authenticated requests from a single account to the Calendar attendee suggestion endpoint with rapidly changing search parameters
- High volumes of attendee lookup requests returning result sets larger than expected for normal calendar use
- Authenticated user sessions iterating alphabetically through short search queries against the Calendar API
Detection Strategies
- Review Nextcloud web server access logs for excessive requests to Calendar attendee search routes by a single session token
- Correlate Calendar endpoint usage with overall user behavior, flagging accounts that perform user enumeration patterns without creating events
- Hunt for sequential single-character or two-character search queries indicative of brute force enumeration
Monitoring Recommendations
- Enable verbose request logging on the Nextcloud reverse proxy or web server for Calendar API paths
- Set alerting thresholds on per-user request rates against attendee lookup endpoints
- Forward Nextcloud audit logs to a centralized analytics or SIEM platform for retention and behavioral analysis
How to Mitigate CVE-2026-45286
Immediate Actions Required
- Upgrade Nextcloud Calendar to version 5.5.17 or 6.2.3 as released by Nextcloud
- Audit account activity for evidence of enumeration prior to patching, focusing on the Calendar attendee endpoint
- Review sharing restriction settings to confirm they reflect current organizational policy after upgrade
Patch Information
Nextcloud released fixed versions 5.5.17 and 6.2.3 of the Calendar app. The fix is implemented in GitHub Pull Request #8197 and tracked in GitHub Issue #7971. Administrators should update through the Nextcloud app management interface or by deploying the patched package from the official release channel.
Workarounds
- Disable the Calendar app on affected instances until the patch can be applied if sharing restrictions are critical to the deployment
- Restrict Calendar app access to a smaller trusted group through Nextcloud group-based app enablement
- Apply rate limiting at the reverse proxy for Calendar API endpoints to slow enumeration attempts
# Upgrade the Calendar app via occ on the Nextcloud server
sudo -u www-data php occ app:update calendar
sudo -u www-data php occ app:list | grep calendar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
