CVE-2025-66546
📋 TL;DR
This vulnerability in Nextcloud Calendar allows attackers to blindly book appointments using sequential IDs without needing the appointment token. It affects Nextcloud Calendar versions before 4.7.19, 5.5.6, and 6.0.1. The issue enables unauthorized access to calendar booking functionality.
💻 Affected Systems
- Nextcloud Calendar
📦 What is this software?
Calendar by Nextcloud
Calendar by Nextcloud
Calendar by Nextcloud
Calendar by Nextcloud
Calendar by Nextcloud
Calendar by Nextcloud
Calendar by Nextcloud
Calendar by Nextcloud
Calendar by Nextcloud
⚠️ Risk & Real-World Impact
Worst Case
Attackers could book all available appointment slots, disrupting legitimate users' ability to schedule meetings and potentially causing denial of service for calendar functionality.
Likely Case
Unauthorized users could book appointments they shouldn't have access to, potentially disrupting legitimate scheduling or gaining access to sensitive meeting information.
If Mitigated
With proper access controls and network segmentation, impact is limited to calendar functionality disruption within the affected Nextcloud instance.
🎯 Exploit Status
Exploitation requires knowledge of sequential appointment IDs but no authentication. The vulnerability is publicly documented with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.19, 5.5.6, or 6.0.1
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95
Restart Required: No
Instructions:
1. Update Nextcloud Calendar app via Nextcloud admin interface or command line. 2. For command line: sudo -u www-data php occ app:update calendar. 3. Verify update completed successfully.
🔧 Temporary Workarounds
Disable Calendar App
linuxTemporarily disable the Calendar app to prevent exploitation
sudo -u www-data php occ app:disable calendar
Restrict Access
allUse web application firewall rules to restrict access to calendar endpoints
🧯 If You Can't Patch
- Implement network segmentation to isolate Nextcloud instance from untrusted networks
- Enable detailed logging for calendar booking attempts and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check Calendar app version in Nextcloud admin interface under Apps section or run: sudo -u www-data php occ app:list | grep calendarCheck Version:
sudo -u www-data php occ app:list | grep calendarVerify Fix Applied:
Verify Calendar app version is 4.7.19, 5.5.6, or 6.0.1 or higher📡 Detection & Monitoring
Log Indicators:
- Multiple failed appointment booking attempts with sequential IDs
- Unauthorized booking attempts from unexpected IP addresses
Network Indicators:
- Unusual patterns of requests to calendar booking endpoints
- Requests to calendar endpoints without proper authentication tokens
SIEM Query:
source="nextcloud.log" AND ("calendar" AND "booking" AND "unauthorized")