CVE-2025-66546 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Nextcloud Calendar app. The issue exists in versions prior to 4.7.19, 5.5.6, and 6.0.1, where the calendar app allowed booking appointments by sequentially guessing appointment IDs without requiring the appointment token, effectively bypassing authorization controls. This flaw arises because the application did not properly validate the authorization token associated with appointment bookings, allowing an attacker with low privileges to blindly book appointments by iterating through sequential IDs. The vulnerability requires local access with low privileges (AV:L, PR:L) but no user interaction (UI:N). The impact is limited to confidentiality, as unauthorized users can book appointments without proper authorization, potentially leading to information disclosure or scheduling conflicts. Integrity and availability are not affected. The vulnerability has a CVSS v3.1 base score of 3.3, indicating low severity. No known exploits are reported in the wild, and the issue was publicly disclosed on December 5, 2025. The flaw was fixed in versions 4.7.19, 5.5.6, and 6.0.1 of the Nextcloud Calendar app. Nextcloud is widely used in European organizations for collaboration and scheduling, making this vulnerability relevant for entities relying on these versions. The vulnerability highlights the importance of proper authorization checks on user-controlled keys in web applications, especially those handling sensitive scheduling data.

For European organizations, this vulnerability could lead to unauthorized appointment bookings within Nextcloud Calendar, potentially exposing sensitive scheduling information or disrupting organizational workflows. While the impact on confidentiality is limited, unauthorized bookings could cause confusion, privacy breaches, or operational inefficiencies, especially in sectors like healthcare, government, or finance where scheduling confidentiality is critical. Since exploitation requires low privilege local access, insider threats or compromised accounts could leverage this flaw. The vulnerability does not affect system integrity or availability, so it is unlikely to cause system outages or data corruption. However, organizations with strict compliance requirements around data privacy and access control may face regulatory scrutiny if such unauthorized access occurs. The lack of known exploits reduces immediate risk, but the widespread use of Nextcloud in Europe means that unpatched systems remain vulnerable. Organizations using affected versions should prioritize patching to maintain secure scheduling environments and prevent potential misuse.

1. Upgrade Nextcloud Calendar to versions 4.7.19, 5.5.6, or 6.0.1 or later, where the vulnerability is fixed. 2. Restrict access to Nextcloud Calendar services to trusted internal networks and authenticated users only, minimizing exposure to low-privilege attackers. 3. Implement monitoring and alerting on calendar booking activities to detect unusual patterns such as sequential appointment bookings or bulk scheduling attempts. 4. Enforce strong authentication and access control policies for Nextcloud users to reduce the risk of compromised low-privilege accounts. 5. Conduct regular security audits and penetration testing focused on authorization controls in collaboration tools. 6. Educate users and administrators about the importance of timely patching and monitoring for suspicious calendar activities. 7. If upgrading is not immediately possible, consider temporary compensating controls such as disabling calendar booking features or restricting appointment creation permissions to higher-privileged roles.