CVE-2025-66550 is a vulnerability identified in the Nextcloud Calendar application, specifically affecting versions prior to 4.7.17 and 5.2.4. The root cause is improper handling of unexpected data types (CWE-241) when processing calendar event attachments. A malicious user with permission to create calendar events can craft an event containing an attachment that links to a file hosted on the same Nextcloud server. When other users interact with this event, the application automatically downloads the linked file without requiring explicit user confirmation. This behavior can lead to unauthorized modification of data or unintended file downloads, impacting the integrity of user data. The vulnerability requires the attacker to have at least limited privileges to create calendar events and some user interaction to trigger the download. The CVSS v3.1 score is 5.7 (medium severity), reflecting network attack vector, low attack complexity, privileges required, and user interaction. The flaw has been addressed in Nextcloud Calendar versions 4.7.17 and 5.2.4 by correcting the handling of attachment data types to prevent automatic downloads without user consent. No public exploits have been reported, but the vulnerability poses a risk to organizations relying on affected Nextcloud versions for calendar management.

For European organizations, this vulnerability could lead to unauthorized data modification or leakage within Nextcloud environments, particularly affecting collaborative workflows that rely on calendar events. Since Nextcloud is widely used in Europe for secure file sharing and collaboration, exploitation could undermine data integrity and trust in internal communications. The automatic download of files without user consent could also expose users to further risks if the downloaded files are malicious or sensitive. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if this vulnerability is exploited. Although the attack requires some privileges and user interaction, insider threats or compromised accounts could leverage this flaw to propagate malicious files or disrupt operations. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks, especially in environments with outdated Nextcloud Calendar versions.

European organizations should prioritize upgrading Nextcloud Calendar to versions 4.7.17 or 5.2.4 or later to eliminate this vulnerability. Additionally, implement strict access controls to limit calendar event creation privileges to trusted users only. Employ monitoring and alerting for unusual calendar event creation patterns or unexpected file downloads within Nextcloud logs. Educate users about the risks of interacting with calendar attachments from untrusted sources and encourage verification before opening attachments. Consider deploying network-level controls to restrict unauthorized file downloads from internal servers. Regularly audit Nextcloud instances for outdated components and apply security patches promptly. For environments with high security requirements, consider isolating Nextcloud services and enforcing multi-factor authentication to reduce the risk of account compromise that could enable exploitation.