CVE-2025-66511 MEDIUM

CVE-2025-66511: Nextcloud Calendar app used predictable proposal participant tokens

Vendor Nextcloud
Product security-advisories
Weakness CWE-330 · Insufficient randomness
Published December 5, 2025
Last update December 5, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 5, 2025 Record updated