Nextcloud Calendar
Moderate fix3 remedies
cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 4.0.0, < 4.7.19
- >= 5.0.0, < 5.5.6
- >= 6.0.0, < 6.0.1
Nextcloud Calendar Blind Appointment Booking Vulnerability
Vulnerability
Patched
A vulnerability in Nextcloud Calendar versions 4.0.0 through 4.7.18, 5.0.0 through 5.5.5, and 6.0.0 through 6.0.0 allows users to book appointments without a valid appointment token, by using a sequential ID. This issue has been addressed in versions 4.7.19, 5.5.6, and 6.0.1.
Impact
Exploitation of this vulnerability allows for unauthorized booking of appointments, potentially leading to scheduling conflicts or misuse of the calendar system.
Reproduction
To reproduce this vulnerability, send a request to book an appointment using a sequential ID while omitting the appointment token. This can be done by accessing the appointment booking endpoint and providing the ID without the corresponding token, which is required for a legitimate booking.
Remediation
Users are advised to update Nextcloud Calendar to version 4.7.19, 5.5.6, or 6.0.1.
Added: Dec 5, 2025, 5:22 PM
Updated: Dec 5, 2025, 5:22 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
0.6exploitability
6.0remediation
7.7relevance
1.3threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.