CVE-2026-45281

8.1 HIGH

Nextcloud is an open source content collaboration platform

Published: 2026-06-01 · Last updated: 2026-06-03

Severity and scoring

CVSS: 8.1 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-639

Affected products

Vendor	Product
nextcloud	nextcloud_server

Description

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45281
[Vendor advisory]https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hrrv-mp25-26vv
[Patch]https://github.com/nextcloud/server/pull/59962
[Other]https://hackerone.com/reports/3545964

Related CVEs

Same vendor

CVE-2026-45810 — Nextcloud is an open source content collaboration platform (6.8 MEDIUM)
CVE-2026-45722 — Nextcloud is an open source content collaboration platform (7.1 HIGH)
CVE-2026-45691 — Nextcloud is an open source content collaboration platform (5.9 MEDIUM)
CVE-2026-45690 — Nextcloud is an open source content collaboration platform (5.9 MEDIUM)
CVE-2026-45545 — Nextcloud is an open source content collaboration platform (8.2 HIGH)

Same CWE

CVE-2026-12204 — A vulnerability was determined in ShopXO up to 6.7.1 (7.3 HIGH)
CVE-2026-1291 — The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST AP... (4.3 MEDIUM)
CVE-2026-54361 — MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow at...
CVE-2026-54360 — A mass assignment vulnerability exists in MISP’s sharing group creation endpoint
CVE-2026-54357 — An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings bel...