Nextcloud Calendar app allowed booking appointments without the generated token
CVE-2025-66546

3.3LOW

Key Information:

Vendor: Nextcloud
Status: Security-advisories
Vendor: CVE Published:; 5 December 2025

🔔 Create Nextcloud Vulnerability Alert

What is CVE-2025-66546?

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.

Affected Version(s)

security-advisories >= 6.0.0-rc.1, < 6.0.1 < 6.0.0-rc.1, 6.0.1

security-advisories >= 5.0.0-rc.1, < 5.5.6 < 5.0.0-rc.1, 5.5.6

security-advisories >= 3.0.0-beta1, < 4.7.19 < 3.0.0-beta1, 4.7.19

References

https://github.com/nextcloud/security-advisories/security...

x_refsource_CONFIRM

https://github.com/nextcloud/calendar/pull/7537

x_refsource_MISC

https://github.com/nextcloud/calendar/commit/f41650c3681f...

x_refsource_MISC

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Dec 4, 2025

.

CVE-2025-66546 : Vulnerability in Nextcloud Calendar App Allows Unauthorized Appointment Booking