By vendor
Nextcloud vulnerabilities
Known CVEs affecting Nextcloud products, prioritized by severity, with SEC.co remediation and detection guidance.
17 published vulnerabilities
- CVE-2026-45545HIGH 8.2
Nextcloud Tables contains a SQL injection vulnerability that allows authenticated users with Tables app access to execute SQL queries beyond the intended 20-byte limit. By crafting specially formed input, attackers can bypass this constraint and run arbitrary database commands to steal sensitive information or alter data. The vulnerability affects multiple Nextcloud versions and has been resolved in patched releases.
- CVE-2026-45281HIGH 8.1
Nextcloud Server contains an authorization flaw in its calendar functionality that allows authenticated attackers to access other users' calendars if they know the target's principal URL. An attacker with valid Nextcloud credentials can exploit improper access controls to view and modify calendars belonging to other users, effectively bypassing permission boundaries. The vulnerability requires prior knowledge of another user's identifier and valid authentication to the Nextcloud instance.
- CVE-2026-45722HIGH 7.1
A vulnerability in Nextcloud's Tables app allows authenticated users to inject malicious SQL code through the ORDER BY clause of database queries. While this type of SQL injection is more limited than typical variants—attackers can extract only small amounts of data per request or cause database delays—it still poses a meaningful confidentiality and availability risk. The flaw affects Nextcloud Tables versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1. Nextcloud has released patches that organizations should apply promptly.
- CVE-2026-45810MEDIUM 6.8
Nextcloud Server contains an authorization flaw that allows any authenticated user with access to a single file comment to read all comments across the system. The vulnerability stems from missing validation when retrieving comment data, effectively breaking comment-level access controls. An attacker needs valid Nextcloud credentials and interaction with at least one comment, but can then enumerate and read comments they should not have permission to access. This affects Nextcloud Server 31.0.0 through 31.0.11 and 32.0.0 through 32.0.2, with critical patches available.
- CVE-2026-45275MEDIUM 6.5
A vulnerability in Nextcloud's Approval app allows users to bypass permission controls and force files to be shared with approvers, even when they lack sharing rights. An attacker with basic user credentials can exploit this to distribute restricted files without authorization. Nextcloud addressed this in version 2.7.2.
- CVE-2026-45282MEDIUM 6.5
Nextcloud Server contains a flaw that allows an authenticated user to download file attachments from password-protected or restricted link shares if they know the share token and have access to a document ID. This bypasses the intended security controls around shared links. The attacker can only extract attached files, not the shared documents themselves, and the vulnerability requires prior authentication and knowledge of specific document identifiers.
- CVE-2026-45285MEDIUM 6.4
Nextcloud inadvertently creates hidden public links when users share folders or files with Teams that include external members (people invited via email without Nextcloud accounts). These links remain invisible in the sharing interface but are emailed to the external recipient and grant full permissions—read, write, delete, reshare, download. An attacker intercepting or receiving one of these links gains unfettered access to all shared data without authentication, and the folder owner cannot see or revoke the link through normal UI controls. Versions 32.0.0–32.0.8 and 33.0.0–33.0.2 are vulnerable; patches are available.
- CVE-2026-45283MEDIUM 6.3
Nextcloud Server contains a file access control vulnerability in its files_lock app that allows authenticated users to manipulate file locks belonging to other users. By knowing the WebDAV paths of files owned by colleagues, an attacker could lock or unlock those files without authorization. Additionally, the vulnerability exposes lock tokens in error messages, enabling attackers to remove locks that other users' applications have legitimately placed. This requires an attacker to be a registered user with valid credentials, but does not require special privileges. The issue affects Nextcloud Server versions 32.0.0 through 32.0.1 and 33.0.0 through 33.0.0, with enterprise deployments on version 31 also at risk.
- CVE-2026-45690MEDIUM 5.9
Nextcloud Server contains an authentication bypass flaw that lets attackers with a valid password defeat two-factor authentication (2FA). During login, the system temporarily grants a session token before asking for the second factor. An attacker who intercepts this token can replay it using HTTP Basic Authentication to access the account without providing the 2FA code. This affects Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2, as well as older Enterprise Server branches. The vulnerability requires knowledge of the user's password, limiting opportunistic exploitation but creating a material risk for password-compromised accounts.
- CVE-2026-45691MEDIUM 5.9
Nextcloud Server contains a session management flaw that allows attackers to bypass two-factor authentication (2FA). When a user logs in with their password but hasn't completed TOTP verification yet, a temporary session cookie is created. An attacker with legitimate credentials can capture or reuse this intermediate cookie as a Bearer token to directly access file storage endpoints (DAV), gaining unauthorized read and write access while completely circumventing the mandatory 2FA requirement. This affects Nextcloud Server versions 32.0.0–32.0.8 and 33.0.0–33.0.2, as well as several Enterprise Server releases.
- CVE-2026-45543MEDIUM 5.3
A flaw in Nextcloud Forms allows collaborators who have been removed from a form to retain unauthorized read access to uploaded respondent files. This affects forms running Nextcloud versions 4.3.0 through 5.2.6. If a user previously had access to view form results, removing them as a collaborator does not fully revoke their ability to read uploaded files associated with that form. The vulnerability is limited to files uploaded within forms where the removed user previously held results-viewing permissions.
- CVE-2026-45284MEDIUM 4.6
Nextcloud's OIDC (OpenID Connect) user authentication module contains a flaw that allows deleted LDAP users to continue authenticating to the system. When an organization uses both LDAP and OIDC for user management, deletion of a user from LDAP does not properly prevent that user from logging in via OIDC. This creates an unintended persistence of access for users who should no longer have system privileges. The issue affects Nextcloud versions 1.3.6 through 8.3.x and has been resolved in version 8.4.0.
- CVE-2026-45279MEDIUM 4.4
Nextcloud Server contains a path traversal vulnerability that allows non-admin users to copy files into their own Nextcloud directories in certain scenarios. The vulnerability exists in specific versions and depends on underlying Unix file system permissions. An attacker would need already-elevated user privileges within Nextcloud to exploit this issue, limiting the practical threat surface.
- CVE-2026-45286MEDIUM 4.3
An authenticated user on a Nextcloud instance can discover other users' identities by abusing the Calendar app's attendee-suggestion feature. The vulnerability exists because this endpoint bypasses the access controls that Nextcloud applies elsewhere. An attacker already logged into the system can systematically enumerate valid usernames, potentially laying groundwork for targeted attacks like password spraying or social engineering. The flaw affects Nextcloud versions 5.5.13 through 5.5.16 and 6.2.0 through 6.2.2.
- CVE-2026-45544MEDIUM 4.3
Nextcloud Tables, a collaborative document and data management component, contains an information disclosure vulnerability affecting versions 0.8.0 through 1.0.3. The issue allows users with read-only access to view filter criteria—potentially including sensitive column names, field definitions, or search logic—that should have been restricted to higher-privilege users. This represents a low-severity data exposure that could leak operational details about table structure and content filtering strategies. The vulnerability has been resolved in Nextcloud Tables versions 1.0.4 and 2.0.0.
- CVE-2026-45277LOW 3.3
Nextcloud's approval workflow feature contains an information disclosure flaw that allows authenticated users to determine whether arbitrary files are connected to specific approval processes. An attacker with valid credentials can probe the system to learn if particular files have approval workflows attached, potentially revealing organizational file structures and approval dependencies that should remain confidential. The issue affects versions prior to 2.7.2 and does not require user interaction to exploit.
- CVE-2026-45278LOW 3.3
Nextcloud's user OIDC (OpenID Connect) module contains an open redirect vulnerability that allows attackers to craft malicious login links. When users click these links to authenticate via OIDC, they are redirected to attacker-controlled websites after logging in. This affects Nextcloud versions 6.1.0 through 8.2.1. The vulnerability has a low CVSS score because it requires user interaction and does not directly compromise confidentiality or availability.