Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 5, 2025

Nextcloud Calendar app used predictable proposal participant tokens

CVE-2025-66511

Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.

Affected products

Kieranoshea/Calendarllm-fuzzy
Range: <6.0.3
nextcloud/security-advisoriesv5
Range: >= 6.0.0-rc.1, < 6.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fbmitrex_refsource_MISC
github.com/nextcloud/calendar/pull/7659mitrex_refsource_MISC
github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27mitrex_refsource_CONFIRM
hackerone.com/reports/3385434mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000