Vulnerability in Nextcloud Calendar App Allows Unauthorized Appointment Booking
CVE-2025-66546

3.3LOW

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
5 December 2025

What is CVE-2025-66546?

A security vulnerability exists in the Nextcloud Calendar app that allows unauthorized users to book appointments using sequential IDs without possessing the appointment token. This flaw potentially exposes scheduling functionality to manipulation, affecting user privacy and appointment integrity. The issue has been addressed in versions 4.7.19, 5.5.6, and 6.0.1, underscoring the importance of upgrading to secure versions.

Affected Version(s)

security-advisories >= 6.0.0-rc.1, < 6.0.1 < 6.0.0-rc.1, 6.0.1

security-advisories >= 5.0.0-rc.1, < 5.5.6 < 5.0.0-rc.1, 5.5.6

security-advisories >= 3.0.0-beta1, < 4.7.19 < 3.0.0-beta1, 4.7.19

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/calendar/pull/7537
x_refsource_MISC
https://github.com/nextcloud/calendar/commit/f41650c3681f...
x_refsource_MISC

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.