Share tokens for public calendars disclosed

May 31, 2017


A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

Affected Software

  • ownCloud Server < 10.0.2 (CVE-2017-9339)

Action Taken

The error has been fixed and regression tests been added.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – Nextcloud GmbH () – Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0. Original source: