Was able to enable Birthday Contacts
any User, Admin, SuperAdmin. from a low privileged user.
Enable Birthday Contacts
POST /remote.php/dav/calendars/{userId}
<x3:enable-birthday-calendar xmlns:x3="http://nextcloud.com/ns"/>
Users with low privileges enable the “Birthday Contacts” feature for any user, including Admins and SuperAdmins, within the Nextcloud application. By following a simple set of steps, an attacker could navigate to the Calendar section, access the calendar settings, enable the “Birthday Contacts” feature, and intercept a specific request to achieve this unauthorized action.