Primary

Context

Nextcloud Calendar Participant Token Generation Vulnerability in Meeting Proposals

Vulnerability

Patched

A vulnerability exists in the Nextcloud Calendar app, specifically in versions 6.0.0 prior to 6.0.3. The issue arises because the app generates participant tokens for meeting proposals using a predictable hash function. This allows an attacker to calculate valid tokens, enabling them to request details and propose dates in meetings. The vulnerability is rooted in the tokens not being randomly generated.

Impact

Exploitation of this vulnerability allows for the manipulation of meeting proposals by computing valid participant tokens, which could be used to request proposal details and submit dates.

Remediation

Users are advised to update the Nextcloud Calendar app to version 6.0.3. If an immediate update is not possible, the Calendar app can be disabled as a temporary workaround.

Added: Dec 5, 2025, 5:25 PM

Updated: Dec 5, 2025, 5:25 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

7.1

remediation

8.3

relevance

1.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

7.1

remediation

8.3

relevance

1.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nextcloud Calendar Participant Token Generation Vulnerability in Meeting Proposals

Vulnerability

Impact

Remediation

Affected Products

Nextcloud Calendar

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating