Security Advisory

Back to advisories

Share tokens for public calendars disclosed (NC-SA-2017-011)

8th May 2017

Risk level: Medium

CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CWE: Information Exposure Through Directory Listing (CWE-548)

HackerOne report: 218876


A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

Affected Software

  • Nextcloud Server < 11.0.3 (CVE-2017-0894)

Action Taken

The error has been fixed and regression tests been added.


The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - Nextcloud GmbH ( - Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0.