CVE-2026-45153: Nextcloud Android Files App PIN Bypass via Back Button
Nextcloud Files app on Android has a PIN bypass vulnerability affecting versions 33.0.0 through 33.0.x. An attacker with physical access to an unlocked Android device can use the back button to circumvent the app's PIN protection and gain unauthorized access to files stored in the Nextcloud app. This is a local attack requiring the device to already be unlocked, but it effectively neutralizes the app-level security control that would normally protect sensitive files even if the phone falls into the wrong hands.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.6 MEDIUM · CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-287
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45153 is an authentication bypass flaw in Nextcloud's Android Files application introduced in version 33.0.0. The vulnerability stems from improper handling of the back-button navigation event, which allows an authenticated but unprivileged user to bypass the app's PIN lock mechanism post-device-unlock. The attack surface is limited to users of affected Android versions of Nextcloud Files; the vulnerability does not affect the web client or other platforms. Root cause appears to involve failure to properly save or restore the PIN-locked state when returning from the lock screen, allowing navigation backwards through the app's activity stack without re-authentication.
Business impact
Organizations relying on Nextcloud Files as a secure mobile file sync solution for employees should recognize that the PIN protection—often deployed to meet data governance or compliance requirements—becomes ineffective during the window after device unlock. For firms handling HIPAA, PCI-DSS, or other regulated data, this may represent a compliance gap if the PIN was documented as a required control. The risk is mitigated by the requirement that the Android device itself must first be unlocked, but the secondary PIN layer is rendered moot. Loss of confidentiality is the primary concern; the impact on data integrity or availability is minimal.
Affected systems
The vulnerability affects Nextcloud Files app on Android devices running versions 33.0.0 through 33.0.x (specifically before 33.1.0). No other Nextcloud clients or platforms are affected. Administrators should inventory deployments and communicate to end users to update their mobile apps. The patch is available in Nextcloud version 33.1.0 and later.
Exploitability
Exploitability is low in general population terms because it requires physical possession of an unlocked Android device. Once the device is unlocked, no additional credentials are needed—the attacker simply presses the back button repeatedly to escape the PIN screen. No network access, sophisticated tooling, or zero-day knowledge is required. However, for a device already in an attacker's hands, the ease of execution is high. The CVSS vector (AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) reflects this: physical attack vector, high attack complexity (due to device unlock prerequisite), and low privilege requirement.
Remediation
Update Nextcloud Files app on Android to version 33.1.0 or later. Users on version 33.0.0 or later but earlier than 33.1.0 should prioritize this update. No workaround is available short of uninstalling the app or reverting to a pre-33.0.0 version. Administrators should push or strongly encourage the update through mobile device management (MDM) policies if available and push notifications via the Nextcloud ecosystem.
Patch guidance
Nextcloud has released version 33.1.0 which contains the fix. Organizations using automated app update mechanisms (Google Play Store auto-update, managed app distribution, or MDM-enforced patching) should ensure these are enabled. For manually updated environments, communicate the availability of 33.1.0 to users directly. The patch should be treated as normal-to-high priority given the scope of affected devices and the simplicity of exploitation. Verify that the device is running 33.1.0 or later by checking the app version in Android settings > Apps > Nextcloud Files.
Detection guidance
Direct detection of exploitation is difficult without app-level logging or network monitoring. Organizations can identify vulnerable installations by auditing the Nextcloud Files app version on enrolled Android devices via MDM solutions or manual inventory. Look for devices reporting version 33.0.0–33.0.x in device management dashboards. Behavioral indicators include frequent back-button navigation within the Nextcloud Files app after device unlock, though this is not definitive evidence of exploitation. Consider implementing app-level telemetry or logs if your Nextcloud deployment supports it.
Why prioritize this
Although the CVSS score is moderate (4.6), this vulnerability merits prompt patching because (1) the affected versions are recent and likely widely deployed in new installations, (2) exploitation requires no sophisticated capabilities once physical access is obtained, (3) the PIN is often a documented security control for regulated environments, and (4) the fix is simple and low-risk. It should not be treated as critical or emergency, but should be included in your next mobile patch cycle.
Risk score, explained
The CVSS 3.1 score of 4.6 (MEDIUM) reflects the combination of physical attack vector (requires unlocked device), high attack complexity (device must be unlocked first), low privileges required, and high confidentiality impact with low integrity and no availability impact. The score appropriately devalues the threat by anchoring it to physical possession. However, the actual risk to your organization depends on (a) the prevalence of version 33.0.x in your deployment, (b) the sensitivity of data stored in Nextcloud Files, and (c) the likelihood of device loss or theft.
Frequently asked questions
Does this affect Nextcloud Server or only the Android app?
Only the Android Files app is affected (versions 33.0.0–33.0.x). Nextcloud Server, the web client, and other official clients (iOS, desktop, etc.) are not impacted by this specific flaw.
Can an attacker use this without first unlocking the Android device?
No. The vulnerability requires the Android device to already be unlocked. Once the device is unlocked, the Nextcloud Files app PIN can be bypassed via back-button navigation. The device PIN or biometric unlock is a prerequisite.
Is there a way to force users to update the app if they haven't done so manually?
If you manage Android devices via MDM (Mobile Device Management), you can enforce app updates through the management console. Otherwise, you can notify users through email or in-app messaging. Google Play Store can be configured to auto-update apps, which most users have enabled.
Does the PIN protect against all attacks, or just this specific bypass?
The PIN is designed to protect the app from casual snooping or family members accessing the app without permission. It does not protect against a determined attacker with full device access, root access, or forensic tools. This bypass simply removes one of the layers.
This analysis is based on the official CVE record and vendor advisory as of 2026-06-17. Exploitability and impact may vary depending on your deployment architecture, device management policies, and the sensitivity of data stored within the Nextcloud Files app. Always verify patch applicability and compatibility with your specific environment before deploying updates. SEC.co does not provide legal, compliance, or risk management advice; consult your organization's security and legal teams for guidance specific to your regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2023-5502MEDIUMArista EOS 802.1x Authentication Bypass Vulnerability
- CVE-2026-10283MEDIUMBottelet DaybydayCRM Authentication Bypass in Settings Handler
- CVE-2026-10548MEDIUMImproper Authentication in NousResearch hermes-agent Credential Synchronization
- CVE-2026-45283MEDIUMNextcloud File Lock Authorization Bypass
- CVE-2026-45289MEDIUMCloudburstMC Protocol Authentication Validation Bypass (MEDIUM)
- CVE-2026-45690MEDIUMNextcloud 2FA Bypass via Session Token Replay
- CVE-2026-45691MEDIUMNextcloud 2FA Bypass via Session Cookie Reuse on DAV Endpoints
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk