Nextcloud Calendar Autocomplete User Enumeration Vulnerability

A data protection vulnerability exists in the Nextcloud Calendar app, specifically in versions 5.5.13 prior to 5.5.17 and 6.2.0 prior to 6.2.3. The issue allows authenticated users to enumerate all users on the same Nextcloud instance through the calendar's attendee suggestion feature. This endpoint bypasses normal sharing restrictions, exposing user information, including email addresses, from all groups within the instance.

Impact

Exploitation of this vulnerability allows for unauthorized user enumeration, potentially leading to privacy violations by exposing user identities and email addresses across different groups.

Reproduction

To reproduce this vulnerability, open an event in the Nextcloud Calendar app and type any letter into the attendees dropdown menu. The autocompletion feature will display all users in the Nextcloud instance that match the input, disregarding any privacy settings or sharing restrictions. This issue persists even if the Share-API is disabled.

Remediation

Users are advised to update the Nextcloud Calendar app to version 6.2.3 or 5.5.17. If an immediate update is not possible, the Calendar app can be disabled as a temporary workaround.