CVE-2026-45281: CWE-639: Authorization Bypass Through User-Controlled Key in nextcloud security-advisories
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23
AI Analysis
Technical Summary
Nextcloud Server contains an authorization bypass vulnerability (CWE-639) affecting calendar access. Authenticated users with knowledge of another user's principal URL can exploit improper backend authorization to gain full read and write access to that user's calendar. This affects Nextcloud Server versions 32.0.0 up to but not including 32.0.9, and 33.0.0 up to but not including 33.0.3. The vulnerability allows unauthorized calendar data disclosure and modification. The vendor recommends upgrading to fixed versions 32.0.9 or 33.0.3, or the corresponding patched Enterprise Server versions.
Potential Impact
An authenticated attacker can bypass authorization controls to fully access and modify another user's calendar data. This compromises confidentiality and integrity of calendar information but does not affect availability. The CVSS v3.1 score is 8.1 (high), reflecting network attack vector, low attack complexity, required privileges of an authenticated user, no user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
Upgrading Nextcloud Server to version 32.0.9 or 33.0.3, or the specified patched Enterprise Server versions, fully mitigates this vulnerability. No other mitigation or temporary workaround is indicated. Patch status is confirmed by vendor recommendations in the advisory.
CVE-2026-45281: CWE-639: Authorization Bypass Through User-Controlled Key in nextcloud security-advisories
Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Nextcloud Server contains an authorization bypass vulnerability (CWE-639) affecting calendar access. Authenticated users with knowledge of another user's principal URL can exploit improper backend authorization to gain full read and write access to that user's calendar. This affects Nextcloud Server versions 32.0.0 up to but not including 32.0.9, and 33.0.0 up to but not including 33.0.3. The vulnerability allows unauthorized calendar data disclosure and modification. The vendor recommends upgrading to fixed versions 32.0.9 or 33.0.3, or the corresponding patched Enterprise Server versions.
Potential Impact
An authenticated attacker can bypass authorization controls to fully access and modify another user's calendar data. This compromises confidentiality and integrity of calendar information but does not affect availability. The CVSS v3.1 score is 8.1 (high), reflecting network attack vector, low attack complexity, required privileges of an authenticated user, no user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
Upgrading Nextcloud Server to version 32.0.9 or 33.0.3, or the specified patched Enterprise Server versions, fully mitigates this vulnerability. No other mitigation or temporary workaround is indicated. Patch status is confirmed by vendor recommendations in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T18:41:13.157Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1de306e29bf47b503a5571
Added to database: 6/1/2026, 7:52:38 PM
Last enriched: 6/1/2026, 8:04:02 PM
Last updated: 6/2/2026, 6:54:52 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.