Login Sign Up

CVE-2025-66511

4.8 MEDIUM
Authentication Bypass

📋 TL;DR

Nextcloud Calendar versions before 6.0.3 generate participant tokens for meeting proposals using a predictable hash function instead of cryptographically secure random generation. This allows attackers to compute valid participant tokens, enabling unauthorized access to meeting details and the ability to submit dates in meeting proposals. All Nextcloud instances using vulnerable Calendar app versions are affected.

💻 Affected Systems

Products:
  • Nextcloud Calendar
Versions: All versions before 6.0.3
Operating Systems: All platforms running Nextcloud
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Nextcloud instances with Calendar app installed and enabled.

📦 What is this software?

Calendar by Nextcloud

View all CVEs affecting Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive meeting details, manipulate scheduling decisions, or disrupt organizational planning by submitting malicious dates to meeting proposals.

🟠

Likely Case

Unauthorized users gain access to meeting proposal details they shouldn't see and can submit dates to influence scheduling decisions.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to unauthorized access to meeting details within the Calendar app.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires understanding of the hash function used and access to meeting proposal URLs. The vulnerability is in the token generation algorithm.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.3

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27

Restart Required: No

Instructions:

1. Update Nextcloud Calendar app to version 6.0.3 or later via Nextcloud app management interface. 2. Alternatively, update entire Nextcloud instance if using bundled apps. 3. No server restart required, but clear caches if issues persist.

🔧 Temporary Workarounds

Disable Calendar App

linux

Temporarily disable the Calendar app if immediate patching isn't possible

occ app:disable calendar

🧯 If You Can't Patch

  • Restrict access to Nextcloud instance using network controls or VPN
  • Monitor Calendar app logs for unusual participant token usage patterns

🔍 How to Verify

Check if Vulnerable:

Check Calendar app version in Nextcloud admin settings or run: occ app:list | grep calendar

Check Version:

occ app:list | grep calendar

Verify Fix Applied:

Confirm Calendar app version is 6.0.3 or higher in Nextcloud admin interface

📡 Detection & Monitoring

Log Indicators:

  • Unusual participant token usage patterns
  • Multiple failed token validations followed by successful access

Network Indicators:

  • Unusual API calls to calendar meeting endpoints from unexpected sources

SIEM Query:

source="nextcloud.log" AND "calendar" AND ("participant" OR "token") AND status=200

📊 Metadata

CVE ID: CVE-2025-66511
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-330
EPSS Score: 0.03% exploit probability (6.5th percentile)
Published: December 5, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66511, you might also want to check these:

CVE-2023-2884 9.8

This vulnerability in CBOT Chatbot uses a weak pseudo-random number generator (PRNG) that allows att...

Same vulnerability type (CWE-330)
CVE-2021-36166 9.8

This vulnerability allows remote attackers to efficiently guess administrative authentication tokens...

Same vulnerability type (CWE-330)
CVE-2024-36389 9.8

MileSight DeviceHub uses insufficiently random values for authentication, potentially allowing attac...

Same vulnerability type (CWE-330)