Nextcloud Calendar app used predictable proposal participant tokens
CVE-2025-66511

4.8MEDIUM

Key Information:

Vendor: Nextcloud
Status: Security-advisories
Vendor: CVE Published:; 5 December 2025

🔔 Create Nextcloud Vulnerability Alert

What is CVE-2025-66511?

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.

Affected Version(s)

security-advisories >= 6.0.0-rc.1, < 6.0.3

References

https://github.com/nextcloud/security-advisories/security...

x_refsource_CONFIRM

https://github.com/nextcloud/calendar/pull/7659

x_refsource_MISC

https://github.com/nextcloud/calendar/commit/8de14ae87f32...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Dec 3, 2025

.

CVE-2025-66511 : Token Generation Vulnerability in Nextcloud Calendar App