CVE-2026-45281

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions 32.0.0 through 32.0.8 Nextcloud Server versions 33.0.0 through 33.0.2 Nextcloud Enterprise Server versions prior to 33.0.3 Nextcloud Enterprise Server versions prior to 32.0.9 Nextcloud Enterprise Server versions prior to 31.0.14.5 Nextcloud Enterprise Server versions prior to 30.0.17.9 Nextcloud Enterprise Server versions prior to 29.0.16.16 Nextcloud Enterprise Server versions prior to 28.0.14.17 Nextcloud Enterprise Server versions prior to 27.1.11.26 Nextcloud Enterprise Server versions prior to 26.0.13.26 Nextcloud Enterprise Server versions prior to 25.0.13.29 Nextcloud Enterprise Server versions prior to 24.0.12.34 Nextcloud Enterprise Server versions prior to 23.0.12.35 Nextcloud Enterprise Server versions prior to 22.2.10.39 Nextcloud Enterprise Server versions prior to 21.0.9.23

Description Improper authorization controls in the calendar backend allow an authenticated attacker with knowledge of another user's principal URL to send a request and gain full access to that user's calendar. This access enables the attacker to view and modify the calendar data.

Recommendations Upgrade to version 32.0.9 Upgrade to version 33.0.3 Upgrade to version 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23 depending on the current installation branch