CVE-2026-45281

EUVD-2026-33706
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
nextcloudnextcloud_server
32.0.0 ≤
𝑥
< 32.0.9
nextcloudnextcloud_server
33.0.0 ≤
𝑥
< 33.0.3
nextcloudnextcloud_server
21.0.0 ≤
𝑥
< 21.0.9.23
nextcloudnextcloud_server
22.0.0 ≤
𝑥
< 22.2.10.39
nextcloudnextcloud_server
23.0.0 ≤
𝑥
< 23.0.12.35
nextcloudnextcloud_server
24.0.0 ≤
𝑥
< 24.0.12.34
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.13.29
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.13.26
nextcloudnextcloud_server
27.0.0 ≤
𝑥
< 27.1.11.26
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.14.17
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.16.16
nextcloudnextcloud_server
30.0.0 ≤
𝑥
< 30.0.17.9
nextcloudnextcloud_server
31.0.0 ≤
𝑥
< 31.0.14.5
nextcloudnextcloud_server
32.0.0 ≤
𝑥
< 32.0.9
nextcloudnextcloud_server
33.0.0 ≤
𝑥
< 33.0.3
𝑥
= Vulnerable software versions