How is CVE-2026-45281 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Nextcloud Server instance via HTTP/HTTPS to send the crafted principal URL request. Authentication (required): The attacker must hold a valid low-privilege Nextcloud account; any ordinary user credential is sufficient to trigger the improper authorization flaw. Victim interaction (not-required): No action is needed from the calendar owner; the attacker sends the request directly to the backend without any social-engineering step. Attack complexity (info): The exploit is reliable and condition-free once the attacker knows the target user's principal URL; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-45281?

Reads all calendar events stored in the targeted user's calendar, including meeting titles, attendees, locations, and private notes. Modifies or deletes calendar entries in the targeted user's calendar, enabling appointment tampering or disruption of scheduled workflows. Exposes organizational scheduling patterns and participant details that can be leveraged for further social-engineering attacks.

Back to search

HIGHCVE-2026-45281Published 2026-06-01Modified 2026-06-01CNA GitHub_M

CVE-2026-45281: Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper authorization vulnerability in Nextcloud Server allows an authenticated attacker to take over another user's calendar by sending a crafted request to a known principal URL. The attack is reachable over the network, requires a low-privilege account, and needs no victim interaction. Successful exploitation gives the attacker full read and write access to the targeted user's calendar. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built Nextcloud images.

Available

Triage

HarborGuard can score this finding at CVSS 8.1 (HIGH) and weight it against each environment's compliance policy, then route the alert to the appropriate team inbox within the customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment the upstream fix is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will follow without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Nextcloud Server instance via HTTP/HTTPS to send the crafted principal URL request.
AuthenticationRequired
The attacker must hold a valid low-privilege Nextcloud account; any ordinary user credential is sufficient to trigger the improper authorization flaw.
Victim interactionNot required
No action is needed from the calendar owner; the attacker sends the request directly to the backend without any social-engineering step.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker knows the target user's principal URL; no race conditions or special environmental factors are required.

Blast Radius

Reads all calendar events stored in the targeted user's calendar, including meeting titles, attendees, locations, and private notes.
Modifies or deletes calendar entries in the targeted user's calendar, enabling appointment tampering or disruption of scheduled workflows.
Exposes organizational scheduling patterns and participant details that can be leveraged for further social-engineering attacks.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-45281, HarborGuard continuously monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released by Nextcloud. In the interim, customers can apply compensating controls through HarborGuard network-policy recommendations: isolate Nextcloud Server instances behind an ingress layer that restricts principal URL enumeration, apply egress filtering to limit lateral movement from a compromised Nextcloud pod, and consider feature-flag gating on calendar sharing features if supported by your deployment configuration. For customers with auto-remediation enabled, once a fix version is published the rebuild, regression-test run, and PR against affected workloads will be triggered without manual action.

See how HarborGuard automates this

Affected packages

nextcloud / security-advisories
>= 32.0.0, < 32.0.9 · >= 33.0.0, < 33.0.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

Metrics

Get notified