Search criteria
385 vulnerabilities by nextcloud
CVE-2026-45810 (GCVE-0-2026-45810)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:13 – Updated: 2026-06-01 17:13
VLAI
Title
Nextcloud: Propfind requests for file comments allowed to load comments for other files
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3
Severity
6.8 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/pull/56982 | x_refsource_MISC |
| https://hackerone.com/reports/3425534 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 31.0.0, < 31.0.12
Affected: >= 32.0.0, < 32.0.3 |
{
"containers": {
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 31.0.0, \u003c 31.0.12"
},
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:13:21.681Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-285v-p9x9-cjhj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-285v-p9x9-cjhj"
},
{
"name": "https://github.com/nextcloud/server/pull/56982",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/56982"
},
{
"name": "https://hackerone.com/reports/3425534",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3425534"
}
],
"source": {
"advisory": "GHSA-285v-p9x9-cjhj",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Propfind requests for file comments allowed to load comments for other files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45810",
"datePublished": "2026-06-01T17:13:21.681Z",
"dateReserved": "2026-05-13T08:19:32.605Z",
"dateUpdated": "2026-06-01T17:13:21.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45722 (GCVE-0-2026-45722)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:11 – Updated: 2026-06-01 19:33
VLAI
Title
Nextcloud: Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views
Summary
Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.
Severity
7.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/tables/pull/2186 | x_refsource_MISC |
| https://hackerone.com/reports/3446689 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 0.9.0, < 0.9.7
Affected: >= 1.0.0, < 1.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:33:35.307057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:33:47.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c 0.9.7"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:11:15.481Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5h2w-c7px-hp4j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5h2w-c7px-hp4j"
},
{
"name": "https://github.com/nextcloud/tables/pull/2186",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/tables/pull/2186"
},
{
"name": "https://hackerone.com/reports/3446689",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3446689"
}
],
"source": {
"advisory": "GHSA-5h2w-c7px-hp4j",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45722",
"datePublished": "2026-06-01T17:11:15.481Z",
"dateReserved": "2026-05-13T05:51:48.666Z",
"dateUpdated": "2026-06-01T19:33:47.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45691 (GCVE-0-2026-45691)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:09 – Updated: 2026-06-01 19:10
VLAI
Title
Nextcloud: Bypass of second factor authentication on DAV endpoints
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Severity
5.9 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/pull/59758 | x_refsource_MISC |
| https://hackerone.com/reports/3573399 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 32.0.0, < 32.0.9
Affected: >= 33.0.0, < 33.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:09:58.256884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:10:18.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.9"
},
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:09:48.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mp6x-g55j-w9jw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mp6x-g55j-w9jw"
},
{
"name": "https://github.com/nextcloud/server/pull/59758",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/59758"
},
{
"name": "https://hackerone.com/reports/3573399",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3573399"
}
],
"source": {
"advisory": "GHSA-mp6x-g55j-w9jw",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Bypass of second factor authentication on DAV endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45691",
"datePublished": "2026-06-01T17:09:48.217Z",
"dateReserved": "2026-05-13T04:38:01.164Z",
"dateUpdated": "2026-06-01T19:10:18.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45690 (GCVE-0-2026-45690)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:08 – Updated: 2026-06-01 17:08
VLAI
Title
Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Severity
5.9 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/pull/59758 | x_refsource_MISC |
| https://hackerone.com/reports/3639301 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 32.0.0, < 32.0.9
Affected: >= 33.0.0, < 33.0.3 |
{
"containers": {
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.9"
},
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user\u0027s password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:08:04.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jgcj-v42r-9922",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jgcj-v42r-9922"
},
{
"name": "https://github.com/nextcloud/server/pull/59758",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/59758"
},
{
"name": "https://hackerone.com/reports/3639301",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3639301"
}
],
"source": {
"advisory": "GHSA-jgcj-v42r-9922",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45690",
"datePublished": "2026-06-01T17:08:04.857Z",
"dateReserved": "2026-05-13T04:38:01.164Z",
"dateUpdated": "2026-06-01T17:08:04.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45545 (GCVE-0-2026-45545)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:05 – Updated: 2026-06-01 17:05
VLAI
Title
Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution
Summary
Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.
Severity
8.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/tables/pull/2309 | x_refsource_MISC |
| https://hackerone.com/reports/3462991 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 0.7.0, < 0.7.7
Affected: >= 0.8.0, < 0.8.10 Affected: >= 0.9.0, < 0.9.8 Affected: >= 1.0.0, < 1.0.4 |
{
"containers": {
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.7.0, \u003c 0.7.7"
},
{
"status": "affected",
"version": "\u003e= 0.8.0, \u003c 0.8.10"
},
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c 0.9.8"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:05:18.396Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x43f-gmgh-vvjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x43f-gmgh-vvjj"
},
{
"name": "https://github.com/nextcloud/tables/pull/2309",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/tables/pull/2309"
},
{
"name": "https://hackerone.com/reports/3462991",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3462991"
}
],
"source": {
"advisory": "GHSA-x43f-gmgh-vvjj",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45545",
"datePublished": "2026-06-01T17:05:18.396Z",
"dateReserved": "2026-05-12T17:48:47.879Z",
"dateUpdated": "2026-06-01T17:05:18.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45544 (GCVE-0-2026-45544)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:03 – Updated: 2026-06-01 21:40
VLAI
Title
Nextcloud: Information Disclosure of view filter metdata via Broken Sensitive Data Masking in ViewService
Summary
Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0.
Severity
4.3 (Medium)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/tables/pull/2312 | x_refsource_MISC |
| https://hackerone.com/reports/3483753 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 0.8.0, < 1.0.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45544",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T21:39:59.421765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T21:40:07.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.8.0, \u003c 1.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230: Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:03:06.911Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vvxm-6jjp-m9mp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vvxm-6jjp-m9mp"
},
{
"name": "https://github.com/nextcloud/tables/pull/2312",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/tables/pull/2312"
},
{
"name": "https://hackerone.com/reports/3483753",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3483753"
}
],
"source": {
"advisory": "GHSA-vvxm-6jjp-m9mp",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Information Disclosure of view filter metdata via Broken Sensitive Data Masking in ViewService"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45544",
"datePublished": "2026-06-01T17:03:06.911Z",
"dateReserved": "2026-05-12T17:48:47.879Z",
"dateUpdated": "2026-06-01T21:40:07.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45543 (GCVE-0-2026-45543)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:00 – Updated: 2026-06-01 19:33
VLAI
Title
Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share
Summary
Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7.
Severity
5.3 (Medium)
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/forms/pull/3291 | x_refsource_MISC |
| https://hackerone.com/reports/3617352 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 4.3.0, < 5.2.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45543",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:33:00.290011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:33:14.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 5.2.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552: Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:00:48.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q4fw-6jf8-5vhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q4fw-6jf8-5vhh"
},
{
"name": "https://github.com/nextcloud/forms/pull/3291",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/forms/pull/3291"
},
{
"name": "https://hackerone.com/reports/3617352",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3617352"
}
],
"source": {
"advisory": "GHSA-q4fw-6jf8-5vhh",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45543",
"datePublished": "2026-06-01T17:00:48.861Z",
"dateReserved": "2026-05-12T17:48:47.879Z",
"dateUpdated": "2026-06-01T19:33:14.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45286 (GCVE-0-2026-45286)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:59 – Updated: 2026-06-01 19:13
VLAI
Title
Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint
Summary
Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/calendar/issues/7971 | x_refsource_MISC |
| https://github.com/nextcloud/calendar/pull/8197 | x_refsource_MISC |
| https://hackerone.com/reports/3540663 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 5.5.13, < 5.5.17
Affected: >= 6.2.0, < 6.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45286",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:12:56.174122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:13:25.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5.13, \u003c 5.5.17"
},
{
"status": "affected",
"version": "\u003e= 6.2.0, \u003c 6.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app\u0027s endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:59:36.865Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2"
},
{
"name": "https://github.com/nextcloud/calendar/issues/7971",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/calendar/issues/7971"
},
{
"name": "https://github.com/nextcloud/calendar/pull/8197",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/calendar/pull/8197"
},
{
"name": "https://hackerone.com/reports/3540663",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3540663"
}
],
"source": {
"advisory": "GHSA-r697-74m9-gvf2",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45286",
"datePublished": "2026-06-01T16:59:36.865Z",
"dateReserved": "2026-05-11T20:14:43.200Z",
"dateUpdated": "2026-06-01T19:13:25.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45284 (GCVE-0-2026-45284)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:57 – Updated: 2026-06-01 16:57
VLAI
Title
Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate
Summary
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
Severity
4.6 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/user_oidc/pull/1340 | x_refsource_MISC |
| https://hackerone.com/reports/3554696 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 1.3.6, < 8.4.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.6, \u003c 8.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:57:56.210Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm"
},
{
"name": "https://github.com/nextcloud/user_oidc/pull/1340",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/user_oidc/pull/1340"
},
{
"name": "https://hackerone.com/reports/3554696",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3554696"
}
],
"source": {
"advisory": "GHSA-79xf-ffj8-96fm",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Wrong condition in the User OIDC app\u0027s LdapService allowed deleted LDAP users to authenticate"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45284",
"datePublished": "2026-06-01T16:57:56.210Z",
"dateReserved": "2026-05-11T18:41:13.158Z",
"dateUpdated": "2026-06-01T16:57:56.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45285 (GCVE-0-2026-45285)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:57 – Updated: 2026-06-01 16:57
VLAI
Title
Nextcloud: Hidden Public Link creation when sharing to a Team External Member
Summary
Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team’s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3.
Severity
6.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/circles/pull/2454 | x_refsource_MISC |
| https://hackerone.com/reports/3625932 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 32.0.0, < 32.0.9
Affected: >= 33.0.0, < 33.0.3 |
{
"containers": {
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.9"
},
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team\u2019s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:57:50.447Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r3xh-x86g-hw4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r3xh-x86g-hw4m"
},
{
"name": "https://github.com/nextcloud/circles/pull/2454",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/circles/pull/2454"
},
{
"name": "https://hackerone.com/reports/3625932",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3625932"
}
],
"source": {
"advisory": "GHSA-r3xh-x86g-hw4m",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Hidden Public Link creation when sharing to a Team External Member"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45285",
"datePublished": "2026-06-01T16:57:50.447Z",
"dateReserved": "2026-05-11T20:14:43.200Z",
"dateUpdated": "2026-06-01T16:57:50.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45283 (GCVE-0-2026-45283)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:53 – Updated: 2026-06-01 21:42
VLAI
Title
Nextcloud: Files Lock app allows users to lock and unlock files of other users
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
Severity
6.3 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/files_lock/pull/1007 | x_refsource_MISC |
| https://hackerone.com/reports/3301553# | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 32.0.0, < 32.0.2
Affected: >= 33.0.0, < 33.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45283",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T21:41:51.211198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T21:42:51.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.2"
},
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users\u0027 client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:53:50.656Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4chh-6mhf-p4jj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4chh-6mhf-p4jj"
},
{
"name": "https://github.com/nextcloud/files_lock/pull/1007",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/files_lock/pull/1007"
},
{
"name": "https://hackerone.com/reports/3301553#",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3301553#"
}
],
"source": {
"advisory": "GHSA-4chh-6mhf-p4jj",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Files Lock app allows users to lock and unlock files of other users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45283",
"datePublished": "2026-06-01T16:53:50.656Z",
"dateReserved": "2026-05-11T18:41:13.158Z",
"dateUpdated": "2026-06-01T21:42:51.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45282 (GCVE-0-2026-45282)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:53 – Updated: 2026-06-01 19:28
VLAI
Title
Nextcloud: Logged-in user bypasses share password and download restrictions on Text attachments via documentId leads to unauthorized file access
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5
Severity
6.5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/text/pull/8499 | x_refsource_MISC |
| https://hackerone.com/reports/3577244 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 32.0.0, < 32.0.9
Affected: >= 33.0.0, < 33.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45282",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:28:33.016749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:28:48.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.9"
},
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:53:18.823Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35fx-69q6-xpjr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35fx-69q6-xpjr"
},
{
"name": "https://github.com/nextcloud/text/pull/8499",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/text/pull/8499"
},
{
"name": "https://hackerone.com/reports/3577244",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3577244"
}
],
"source": {
"advisory": "GHSA-35fx-69q6-xpjr",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Logged-in user bypasses share password and download restrictions on Text attachments via documentId leads to unauthorized file access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45282",
"datePublished": "2026-06-01T16:53:18.823Z",
"dateReserved": "2026-05-11T18:41:13.157Z",
"dateUpdated": "2026-06-01T19:28:48.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45281 (GCVE-0-2026-45281)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:52 – Updated: 2026-06-01 19:22
VLAI
Title
Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23
Severity
8.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/pull/59962 | x_refsource_MISC |
| https://hackerone.com/reports/3545964 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 32.0.0, < 32.0.9
Affected: >= 33.0.0, < 33.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:22:37.089766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:22:51.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.9"
},
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users\u2019 principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:52:57.245Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hrrv-mp25-26vv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hrrv-mp25-26vv"
},
{
"name": "https://github.com/nextcloud/server/pull/59962",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/59962"
},
{
"name": "https://hackerone.com/reports/3545964",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3545964"
}
],
"source": {
"advisory": "GHSA-hrrv-mp25-26vv",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45281",
"datePublished": "2026-06-01T16:52:57.245Z",
"dateReserved": "2026-05-11T18:41:13.157Z",
"dateUpdated": "2026-06-01T19:22:51.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45279 (GCVE-0-2026-45279)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:52 – Updated: 2026-06-01 16:52
VLAI
Title
Nextcloud: Limited path traversal via template API if using `{lang}` in config
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15
Severity
4.4 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/pull/57414/files | x_refsource_MISC |
| https://hackerone.com/reports/3468140 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 31.0.0, < 31.0.14
Affected: >= 32.0.0, < 32.0.4 |
{
"containers": {
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 31.0.0, \u003c 31.0.14"
},
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:52:18.958Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j33j-qph5-4wch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j33j-qph5-4wch"
},
{
"name": "https://github.com/nextcloud/server/pull/57414/files",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/57414/files"
},
{
"name": "https://hackerone.com/reports/3468140",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3468140"
}
],
"source": {
"advisory": "GHSA-j33j-qph5-4wch",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Limited path traversal via template API if using `{lang}` in config"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45279",
"datePublished": "2026-06-01T16:52:18.958Z",
"dateReserved": "2026-05-11T18:41:13.157Z",
"dateUpdated": "2026-06-01T16:52:18.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45278 (GCVE-0-2026-45278)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:51 – Updated: 2026-06-01 16:51
VLAI
Title
Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass
Summary
Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/user_oidc/pull/1273 | x_refsource_MISC |
| https://hackerone.com/reports/3464925 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 6.1.0, < 8.2.2
|
{
"containers": {
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.1.0, \u003c 8.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:51:55.339Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8wjr-5cg8-4w73",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8wjr-5cg8-4w73"
},
{
"name": "https://github.com/nextcloud/user_oidc/pull/1273",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/user_oidc/pull/1273"
},
{
"name": "https://hackerone.com/reports/3464925",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3464925"
}
],
"source": {
"advisory": "GHSA-8wjr-5cg8-4w73",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45278",
"datePublished": "2026-06-01T16:51:55.339Z",
"dateReserved": "2026-05-11T18:41:13.157Z",
"dateUpdated": "2026-06-01T16:51:55.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45277 (GCVE-0-2026-45277)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:51 – Updated: 2026-06-01 21:43
VLAI
Title
Nextcloud: Information disclosure in Nextcloud Approval app via fileId parameter reveals workflow associations
Summary
Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2.
Severity
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/approval/pull/356 | x_refsource_MISC |
| https://hackerone.com/reports/3475210 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
< 2.7.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T21:43:07.958628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T21:43:17.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:51:34.087Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7gm-vgxr-9hcw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7gm-vgxr-9hcw"
},
{
"name": "https://github.com/nextcloud/approval/pull/356",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/approval/pull/356"
},
{
"name": "https://hackerone.com/reports/3475210",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3475210"
}
],
"source": {
"advisory": "GHSA-h7gm-vgxr-9hcw",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Information disclosure in Nextcloud Approval app via fileId parameter reveals workflow associations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45277",
"datePublished": "2026-06-01T16:51:34.087Z",
"dateReserved": "2026-05-11T18:41:13.157Z",
"dateUpdated": "2026-06-01T21:43:17.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45275 (GCVE-0-2026-45275)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:51 – Updated: 2026-06-01 19:31
VLAI
Title
Nextcloud: Authorization bypass in approval feature allows unauthorized file sharing with approvers
Summary
Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to force the system to share a file with approvers. This results in an authorization bypass and privilege escalation, allowing unauthorized distribution of restricted files. This issue has been patched in version 2.7.2.
Severity
6.5 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/approval/pull/392 | x_refsource_MISC |
| https://hackerone.com/reports/3593780 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
< 2.7.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:31:41.793146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:31:53.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to force the system to share a file with approvers. This results in an authorization bypass and privilege escalation, allowing unauthorized distribution of restricted files. This issue has been patched in version 2.7.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:51:22.429Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v8q8-w6c3-3gv9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v8q8-w6c3-3gv9"
},
{
"name": "https://github.com/nextcloud/approval/pull/392",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/approval/pull/392"
},
{
"name": "https://hackerone.com/reports/3593780",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3593780"
}
],
"source": {
"advisory": "GHSA-v8q8-w6c3-3gv9",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Authorization bypass in approval feature allows unauthorized file sharing with approvers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45275",
"datePublished": "2026-06-01T16:51:22.429Z",
"dateReserved": "2026-05-11T18:41:13.157Z",
"dateUpdated": "2026-06-01T19:31:53.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45267 (GCVE-0-2026-45267)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:40 – Updated: 2026-06-01 18:12
VLAI
Title
Nextcloud: Missing permission check for from submissions
Summary
Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6.
Severity
6.5 (Medium)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/forms/pull/3269 | x_refsource_MISC |
| https://hackerone.com/reports/3628817 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
< 5.2.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:12:13.355883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:12:23.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:40:18.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4gh-f8x6-m55f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4gh-f8x6-m55f"
},
{
"name": "https://github.com/nextcloud/forms/pull/3269",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/forms/pull/3269"
},
{
"name": "https://hackerone.com/reports/3628817",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3628817"
}
],
"source": {
"advisory": "GHSA-r4gh-f8x6-m55f",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Missing permission check for from submissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45267",
"datePublished": "2026-06-01T16:40:18.592Z",
"dateReserved": "2026-05-11T18:41:13.156Z",
"dateUpdated": "2026-06-01T18:12:23.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45266 (GCVE-0-2026-45266)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:39 – Updated: 2026-06-01 17:40
VLAI
Title
Nextcloud: Unauthorized force-mute from missing permission check when using internal signaling
Summary
Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/spreed/pull/17577 | x_refsource_MISC |
| https://hackerone.com/reports/3636758 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
< 21.1.10
Affected: < 22.0.11 Affected: < 23.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T17:35:39.122672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:40:19.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003c 21.1.10"
},
{
"status": "affected",
"version": "\u003c 22.0.11"
},
{
"status": "affected",
"version": "\u003c 23.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user\u0027s microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:39:56.879Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x75r-65hm-cw35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x75r-65hm-cw35"
},
{
"name": "https://github.com/nextcloud/spreed/pull/17577",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/spreed/pull/17577"
},
{
"name": "https://hackerone.com/reports/3636758",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3636758"
}
],
"source": {
"advisory": "GHSA-x75r-65hm-cw35",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Unauthorized force-mute from missing permission check when using internal signaling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45266",
"datePublished": "2026-06-01T16:39:56.879Z",
"dateReserved": "2026-05-11T18:41:13.156Z",
"dateUpdated": "2026-06-01T17:40:19.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45159 (GCVE-0-2026-45159)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:39 – Updated: 2026-06-01 19:30
VLAI
Title
Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
Summary
Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/end_to_end_encryptio… | x_refsource_MISC |
| https://hackerone.com/reports/3304830 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 1.15.0, < 1.15.4
Affected: >= 1.16.0, < 1.16.3 Affected: >= 1.17.0, < 1.17.1 Affected: >= 1.18.0, < 1.18.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:30:14.088508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:30:25.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.4"
},
{
"status": "affected",
"version": "\u003e= 1.16.0, \u003c 1.16.3"
},
{
"status": "affected",
"version": "\u003e= 1.17.0, \u003c 1.17.1"
},
{
"status": "affected",
"version": "\u003e= 1.18.0, \u003c 1.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:39:38.836Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p3qw-7gwx-wg24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p3qw-7gwx-wg24"
},
{
"name": "https://github.com/nextcloud/end_to_end_encryption/pull/1395",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/end_to_end_encryption/pull/1395"
},
{
"name": "https://hackerone.com/reports/3304830",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3304830"
}
],
"source": {
"advisory": "GHSA-p3qw-7gwx-wg24",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45159",
"datePublished": "2026-06-01T16:39:38.836Z",
"dateReserved": "2026-05-08T20:44:38.965Z",
"dateUpdated": "2026-06-01T19:30:25.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45157 (GCVE-0-2026-45157)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:39 – Updated: 2026-06-01 18:49
VLAI
Title
Nextcloud: Valid share tokens allow to access tempory upload files of share owner
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3
Severity
6.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/pull/59780 | x_refsource_MISC |
| https://hackerone.com/reports/3483708 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 32.0.0, < 32.0.9
Affected: >= 33.0.0, < 33.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45157",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:49:11.015107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:49:19.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.9"
},
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:39:12.214Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-45pj-p7x7-4mhc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-45pj-p7x7-4mhc"
},
{
"name": "https://github.com/nextcloud/server/pull/59780",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/59780"
},
{
"name": "https://hackerone.com/reports/3483708",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3483708"
}
],
"source": {
"advisory": "GHSA-45pj-p7x7-4mhc",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Valid share tokens allow to access tempory upload files of share owner"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45157",
"datePublished": "2026-06-01T16:39:12.214Z",
"dateReserved": "2026-05-08T20:44:38.964Z",
"dateUpdated": "2026-06-01T18:49:19.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45156 (GCVE-0-2026-45156)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:38 – Updated: 2026-06-01 18:12
VLAI
Title
Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC
Summary
Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.
Severity
8.1 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/user_oidc/pull/1285 | x_refsource_MISC |
| https://hackerone.com/reports/3489490 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 0.3.0, < 3.1.0
Affected: >= 5.0.0, < 5.1.0 Affected: >= 6.0.0, < 6.4.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:12:50.808465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:12:59.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.0, \u003c 3.1.0"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.1.0"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:38:46.470Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgv-fqwp-mjpp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgv-fqwp-mjpp"
},
{
"name": "https://github.com/nextcloud/user_oidc/pull/1285",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/user_oidc/pull/1285"
},
{
"name": "https://hackerone.com/reports/3489490",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3489490"
}
],
"source": {
"advisory": "GHSA-qqgv-fqwp-mjpp",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45156",
"datePublished": "2026-06-01T16:38:46.470Z",
"dateReserved": "2026-05-08T20:44:38.964Z",
"dateUpdated": "2026-06-01T18:12:59.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45155 (GCVE-0-2026-45155)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:38 – Updated: 2026-06-01 18:09
VLAI
Title
Nextcloud: Private circle can be added to another circle via API
Summary
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/circles/pull/2401 | x_refsource_MISC |
| https://hackerone.com/reports/3511998 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 32.0.0, < 32.0.7
Affected: >= 33.0.0, < 33.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:09:03.555046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:09:28.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 32.0.0, \u003c 32.0.7"
},
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:38:33.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xpgv-grf9-gm7x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xpgv-grf9-gm7x"
},
{
"name": "https://github.com/nextcloud/circles/pull/2401",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/circles/pull/2401"
},
{
"name": "https://hackerone.com/reports/3511998",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3511998"
}
],
"source": {
"advisory": "GHSA-xpgv-grf9-gm7x",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Private circle can be added to another circle via API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45155",
"datePublished": "2026-06-01T16:38:33.335Z",
"dateReserved": "2026-05-08T20:44:38.964Z",
"dateUpdated": "2026-06-01T18:09:28.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45154 (GCVE-0-2026-45154)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:37 – Updated: 2026-06-01 17:40
VLAI
Title
Nextcloud: Improper Access Control in Collectives
Summary
Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/collectives/pull/2432 | x_refsource_MISC |
| https://hackerone.com/reports/3521434 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 2.6.0, < 4.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T17:40:40.788059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:40:50.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:37:41.710Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8mpv-ggq8-hf3w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8mpv-ggq8-hf3w"
},
{
"name": "https://github.com/nextcloud/collectives/pull/2432",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/collectives/pull/2432"
},
{
"name": "https://hackerone.com/reports/3521434",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3521434"
}
],
"source": {
"advisory": "GHSA-8mpv-ggq8-hf3w",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: Improper Access Control in Collectives"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45154",
"datePublished": "2026-06-01T16:37:41.710Z",
"dateReserved": "2026-05-08T20:44:38.964Z",
"dateUpdated": "2026-06-01T17:40:50.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45153 (GCVE-0-2026-45153)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:37 – Updated: 2026-06-01 17:53
VLAI
Title
Nextcloud: PIN bypass in PassCodeActivity via back button
Summary
Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
Severity
4.6 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/android/pull/16896 | x_refsource_MISC |
| https://hackerone.com/reports/3625210 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 33.0.0, < 33.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45153",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T17:53:30.524011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:53:36.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 33.0.0, \u003c 33.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:37:12.319Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2w7v-5299-3hw5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2w7v-5299-3hw5"
},
{
"name": "https://github.com/nextcloud/android/pull/16896",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/android/pull/16896"
},
{
"name": "https://hackerone.com/reports/3625210",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3625210"
}
],
"source": {
"advisory": "GHSA-2w7v-5299-3hw5",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: PIN bypass in PassCodeActivity via back button"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45153",
"datePublished": "2026-06-01T16:37:12.319Z",
"dateReserved": "2026-05-08T20:44:38.964Z",
"dateUpdated": "2026-06-01T17:53:36.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45264 (GCVE-0-2026-45264)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:36 – Updated: 2026-06-01 17:47
VLAI
Title
Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames
Summary
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4.
Severity
4.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/groupfolders/pull/4361 | x_refsource_MISC |
| https://hackerone.com/reports/3540673 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 17.0.0, < 17.0.15
Affected: >= 18.0.0, < 18.1.12 Affected: >= 19.0.0, < 19.1.16 Affected: >= 20.0.0, < 20.1.11 Affected: >= 21.0.0, < 21.0.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T17:47:35.907468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:47:41.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.0.15"
},
{
"status": "affected",
"version": "\u003e= 18.0.0, \u003c 18.1.12"
},
{
"status": "affected",
"version": "\u003e= 19.0.0, \u003c 19.1.16"
},
{
"status": "affected",
"version": "\u003e= 20.0.0, \u003c 20.1.11"
},
{
"status": "affected",
"version": "\u003e= 21.0.0, \u003c 21.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:36:57.130Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx2x-822r-rvmf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx2x-822r-rvmf"
},
{
"name": "https://github.com/nextcloud/groupfolders/pull/4361",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/groupfolders/pull/4361"
},
{
"name": "https://hackerone.com/reports/3540673",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3540673"
}
],
"source": {
"advisory": "GHSA-wx2x-822r-rvmf",
"discovery": "UNKNOWN"
},
"title": "Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45264",
"datePublished": "2026-06-01T16:36:57.130Z",
"dateReserved": "2026-05-11T18:41:13.156Z",
"dateUpdated": "2026-06-01T17:47:41.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44515 (GCVE-0-2026-44515)
Vulnerability from cvelistv5 – Published: 2026-05-14 16:36 – Updated: 2026-05-14 21:32
VLAI
Title
Nextcloud News: Authenticated blind SSRF via feed URL
Summary
Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or localhost, causing the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations, but not relaying the result. This enables blind SSRF, which can be used to scan or probe internal network services that are reachable from the Nextcloud server. This vulnerability is fixed in 28.3.0-beta.1.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nextcloud/news/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44515",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:30:38.223355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T21:32:18.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "news",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003c 28.3.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or localhost, causing the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations, but not relaying the result. This enables blind SSRF, which can be used to scan or probe internal network services that are reachable from the Nextcloud server. This vulnerability is fixed in 28.3.0-beta.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T16:36:11.860Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/news/security/advisories/GHSA-jcfr-rmj6-cpfj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/news/security/advisories/GHSA-jcfr-rmj6-cpfj"
}
],
"source": {
"advisory": "GHSA-jcfr-rmj6-cpfj",
"discovery": "UNKNOWN"
},
"title": "Nextcloud News: Authenticated blind SSRF via feed URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44515",
"datePublished": "2026-05-14T16:36:11.860Z",
"dateReserved": "2026-05-06T18:28:20.887Z",
"dateUpdated": "2026-05-14T21:32:18.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23696 (GCVE-0-2026-23696)
Vulnerability from cvelistv5 – Published: 2026-04-07 16:50 – Updated: 2026-05-25 23:41
VLAI
Title
Windmill < 1.603.3 File Ownership Handling SQLi RCE
Summary
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
Severity
9.9 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://chocapikk.com/posts/2026/windfall-nextclo… | technical-descriptionexploit |
| https://github.com/Chocapikk/Windfall | exploit |
| https://github.com/windmill-labs/windmill/release… | release-notes |
| https://github.com/windmill-labs/windmill/commit/… | patch |
| https://www.windmill.dev/ | product |
| https://apps.nextcloud.com/apps/flow/releases | release-notes |
| https://www.vulncheck.com/advisories/windmill-fil… | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Windmill Labs | Windmill CE (Community Edition) |
Affected:
1.276.0 , ≤ 1.603.2
(semver)
Unaffected: 1.603.3 |
|
| Windmill Labs | Windmill EE (Enterprise Edition) |
Affected:
1.276.0 , ≤ 1.603.2
(semver)
Unaffected: 1.603.3 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23696",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T03:55:43.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windmill CE (Community Edition)",
"repo": "https://github.com/windmill-labs/windmill",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.603.2",
"status": "affected",
"version": "1.276.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.603.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Windmill EE (Enterprise Edition)",
"repo": "https://github.com/windmill-labs/windmill",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.603.2",
"status": "affected",
"version": "1.276.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.603.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Valentin Lobstein (Chocapikk)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints."
}
],
"value": "Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:41:39.422Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Chocapikk/Windfall"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.603.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/windmill-labs/windmill/commit/942fb629210ebb287f48467d1535ffde3a3eeafe"
},
{
"tags": [
"product"
],
"url": "https://www.windmill.dev/"
},
{
"tags": [
"release-notes"
],
"url": "https://apps.nextcloud.com/apps/flow/releases"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/windmill-file-ownership-handling-sqli-rce"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Windmill \u003c 1.603.3 File Ownership Handling SQLi RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-23696",
"datePublished": "2026-04-07T16:50:53.231Z",
"dateReserved": "2026-01-14T22:02:15.209Z",
"dateUpdated": "2026-05-25T23:41:39.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22683 (GCVE-0-2026-22683)
Vulnerability from cvelistv5 – Published: 2026-04-07 16:50 – Updated: 2026-05-25 23:41
VLAI
Title
Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Summary
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
Severity
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://chocapikk.com/posts/2026/windfall-nextclo… | technical-descriptionexploit |
| https://github.com/Chocapikk/Windfall | exploit |
| https://github.com/windmill-labs/windmill/release… | release-notes |
| https://github.com/windmill-labs/windmill/commit/… | patch |
| https://www.windmill.dev/ | product |
| https://apps.nextcloud.com/apps/flow/releases | release-notes |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Windmill Labs | Windmill CE (Community Edition) |
Affected:
1.56.0 , ≤ 1.614.0
(semver)
Unaffected: 1.615.0 |
|
| Windmill Labs | Windmill EE (Enterprise Edition) |
Affected:
1.56.0 , ≤ 1.614.0
(semver)
Unaffected: 1.615.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T03:55:45.209485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:04:17.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windmill CE (Community Edition)",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.614.0",
"status": "affected",
"version": "1.56.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.615.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Windmill EE (Enterprise Edition)",
"vendor": "Windmill Labs",
"versions": [
{
"lessThanOrEqual": "1.614.0",
"status": "affected",
"version": "1.56.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.615.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Valentin Lobstein (Chocapikk)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."
}
],
"value": "Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:41:38.739Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Chocapikk/Windfall"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.615.0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b"
},
{
"tags": [
"product"
],
"url": "https://www.windmill.dev/"
},
{
"tags": [
"release-notes"
],
"url": "https://apps.nextcloud.com/apps/flow/releases"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Windmill \u003c 1.615.0 Operator Role Missing Authorization Checks RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-22683",
"datePublished": "2026-04-07T16:50:30.297Z",
"dateReserved": "2026-01-08T19:04:26.365Z",
"dateUpdated": "2026-05-25T23:41:38.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64011 (GCVE-0-2025-64011)
Vulnerability from cvelistv5 – Published: 2025-12-12 00:00 – Updated: 2025-12-12 19:12
VLAI
Summary
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.
Severity
4.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64011",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T19:12:30.962776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:12:34.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T17:08:10.217Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://drive.google.com/file/d/1eD3PN-u1caZYgGH96XHmJ7h_OBXEAHW4/view?usp=sharing"
},
{
"url": "https://nextcloud.com"
},
{
"url": "https://gist.github.com/tarekramm/586dfe2d113fedfee6d71182570fc090"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-64011",
"datePublished": "2025-12-12T00:00:00.000Z",
"dateReserved": "2025-10-27T00:00:00.000Z",
"dateUpdated": "2025-12-12T19:12:34.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}