CVE-2025-66550 – This vulnerability in Nextcloud Calendar allows... (How to Fix)

Q: What is the severity of CVE-2025-66550?

CVE-2025-66550 has a CVSS score of 5.7 (MEDIUM). This vulnerability in Nextcloud Calendar allows a malicious user to create calendar events with crafted attachments that automatically download files from the same Nextcloud server without user confirmation. This affects Nextcloud Calendar versions prior to 4.7.17 and 5.2.4, potentially exposing sensitive files to unauthorized users.

📋 TL;DR

This vulnerability in Nextcloud Calendar allows a malicious user to create calendar events with crafted attachments that automatically download files from the same Nextcloud server without user confirmation. This affects Nextcloud Calendar versions prior to 4.7.17 and 5.2.4, potentially exposing sensitive files to unauthorized users.

💻 Affected Systems

Products:

Nextcloud Calendar

Versions: All versions prior to 4.7.17 and 5.2.4

Operating Systems: All platforms running Nextcloud

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Calendar app to be installed and enabled. The vulnerability is in how calendar attachments handle download links.

📦 What is this software?

Calendar by Nextcloud

View all CVEs affecting Calendar →

Calendar by Nextcloud

View all CVEs affecting Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could exfiltrate sensitive files from the Nextcloud server, including confidential documents, user data, or configuration files containing credentials.

🟠

Likely Case

Unauthorized access to files that should be protected, potentially exposing internal documents or user-uploaded content.

🟢

If Mitigated

Limited impact with proper access controls and file permissions, but still represents a violation of expected user consent for downloads.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but could be exploited by external attackers who gain user credentials.

🏢 Internal Only: MEDIUM - Insider threats or compromised internal accounts could exploit this to access files they shouldn't have access to.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create calendar events. The vulnerability is straightforward to exploit once an attacker has valid credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.17 or 5.2.4

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv

Restart Required: No

Instructions:

1. Update Nextcloud Calendar app to version 4.7.17 or 5.2.4 via Nextcloud's app management interface. 2. Alternatively, update through command line: sudo -u www-data php occ app:update calendar. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Calendar App

linux

Temporarily disable the Calendar app to prevent exploitation while planning the update.

sudo -u www-data php occ app:disable calendar

Restrict Calendar Creation

all

Limit calendar event creation to trusted users only through Nextcloud permissions.

🧯 If You Can't Patch

Implement strict access controls on sensitive files and directories
Monitor calendar event creation logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Calendar app version in Nextcloud admin interface or run: sudo -u www-data php occ app:list | grep calendar

Check Version:

sudo -u www-data php occ app:list | grep calendar

Verify Fix Applied:

Confirm Calendar app version is 4.7.17 or higher (for version 4.x) or 5.2.4 or higher (for version 5.x)

📡 Detection & Monitoring

Log Indicators:

Unusual calendar event creation patterns
Multiple file downloads triggered from calendar attachments
Failed attempts to access restricted files via calendar links

Network Indicators:

Unexpected file download requests originating from calendar endpoints

SIEM Query:

source="nextcloud.log" AND ("calendar" AND "download" AND "attachment")

📊 Metadata

CVE ID: CVE-2025-66550

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

CWE: CWE-241

EPSS Score: 0.03% exploit probability (6.1th percentile)

Published: December 5, 2025

Last Updated: December 10, 2025

🔗 References

https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769 Patch
https://github.com/nextcloud/calendar/pull/6971 Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv Patch,Vendor Advisory
https://hackerone.com/reports/3112033 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66550, you might also want to check these: