CVE-2025-66546 is an authorization bypass vulnerability identified in the Nextcloud Calendar application, affecting versions prior to 4.7.19, 5.5.6, and 6.0.1. The vulnerability arises from the calendar app's handling of appointment booking, where it allowed appointments to be booked by sequentially guessing appointment IDs without requiring the appointment token, which is normally used to authorize such actions. This flaw corresponds to CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability requires an attacker to have low privileges (PR:L) and local access (AV:L), but no user interaction is needed (UI:N). The CVSS 3.1 base score is 3.3, indicating low severity, primarily impacting confidentiality (C:L) with no impact on integrity or availability. The flaw could allow unauthorized users to book appointments on behalf of others, potentially exposing sensitive scheduling information or causing confusion in organizational calendars. The issue was fixed in the specified patched versions (4.7.19, 5.5.6, 6.0.1). There are no known exploits in the wild, and the vulnerability does not allow remote exploitation without local access or privilege. The sequential ID guessing attack vector indicates a design weakness in how appointment tokens are validated and enforced.

For European organizations, the impact of CVE-2025-66546 is primarily on the confidentiality of calendar appointment data. Unauthorized booking of appointments could lead to information disclosure about organizational schedules or personal meetings. While the vulnerability does not affect data integrity or system availability, it could be leveraged in targeted attacks to cause operational confusion or privacy breaches. Organizations relying heavily on Nextcloud Calendar for sensitive scheduling, such as government agencies, healthcare providers, or financial institutions, may face risks related to unauthorized appointment creation or exposure of calendar metadata. The requirement for local access and low privileges limits the threat to insiders or attackers who have already compromised user accounts with limited rights. Given the low CVSS score and no known exploits, the immediate risk is low but should not be ignored, especially in environments with strict confidentiality requirements.

European organizations should promptly update Nextcloud Calendar to versions 4.7.19, 5.5.6, or 6.0.1 or later to remediate this vulnerability. Beyond patching, administrators should enforce strict access controls to limit local access to trusted users only, reducing the risk of exploitation by low-privilege attackers. Monitoring calendar booking activities for unusual patterns, such as rapid sequential appointment creation, can help detect exploitation attempts. Implementing multi-factor authentication and strong user account management will reduce the likelihood of unauthorized local access. Additionally, reviewing and hardening the configuration of Nextcloud instances to restrict API access and enforce token validation mechanisms can mitigate similar authorization bypass risks. Regular security audits and user training on insider threat awareness will further reduce exposure.