LOW 2.6

CVE-2026-45154: Nextcloud Collective Pages Trashbin Access Control Bypass

Nextcloud, an open-source content collaboration platform, contains a flaw affecting versions 2.6.0 through 4.2.x that allows guest users to retrieve deleted collaborative pages from the trash when the parent collective is shared in view-only mode. An attacker with guest access could circumvent intended deletion by directly accessing removed content, though the exposure is limited to information disclosure and requires prior access to the shared collective. The vulnerability has been resolved in version 4.3.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 2.6 LOW · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-284
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

A privilege boundary violation exists in Nextcloud's collective pages feature where access controls on deleted content fail to respect share-level restrictions. When a collective is shared with view-only permissions to guest users and a page within that collective is deleted, the trashbin mechanism does not re-evaluate whether guests should retain access to discarded items. This violates the principle of least privilege and allows information recovery that should be blocked at the collaboration level. The issue is classified as a broken access control weakness (CWE-284).

Business impact

For organizations deploying Nextcloud as an internal or external collaboration hub, this vulnerability represents a modest but real information leakage risk. Sensitive deleted meeting notes, project plans, or other collaborative content could be viewed by guest users who should see only current, active materials. The impact is contained by the requirement that guests already have collective access and that retrieval requires deliberate action, but the unintended disclosure of deleted work creates compliance and confidentiality concerns, particularly in regulated environments handling customer or proprietary data.

Affected systems

Nextcloud versions 2.6.0 through 4.2.x are affected. Organizations running Nextcloud with the collective pages feature enabled and sharing collectives with guest users in view-only mode face direct exposure. Self-hosted and cloud-hosted Nextcloud instances are equally vulnerable. Upgrade to version 4.3.0 or later to remediate.

Exploitability

Exploitation requires that an attacker already possess guest-level access to a shared collective—a prerequisite that limits opportunistic attacks. The attack itself is non-technical: an authenticated guest simply accesses the trashbin interface to view previously deleted pages. There is no need for network-layer bypass or special tooling. However, the access control failure suggests the flaw would only be discovered through intentional testing or accidental user observation, making it unlikely to be exploited at scale in the wild absent coordinated disclosure. The vulnerability is not tracked in CISA's Known Exploited Vulnerabilities catalog.

Remediation

Upgrade Nextcloud to version 4.3.0 or later as soon as feasible. Verify the upgrade through vendor release notes and changelogs. Organizations unable to upgrade immediately should audit share configurations to identify which collectives are shared with guests and assess the sensitivity of content within those collectives. Consider temporarily disabling guest access to collectives containing sensitive deleted materials, or implementing secondary controls such as trashbin retention policies that purge deleted content on a shorter schedule.

Patch guidance

Deploy Nextcloud version 4.3.0 or any subsequent release. Patch testing should include verification that guest users can no longer access deleted pages in the trashbin of view-only shared collectives, while confirming that legitimate collective members retain appropriate access to active content. Test in a staging environment before production rollout to ensure no disruption to collaboration workflows. Refer to Nextcloud's official release notes for 4.3.0 for any additional upgrade steps or compatibility considerations.

Detection guidance

Monitor audit logs for unusual trashbin access patterns by guest-level accounts, particularly repeated queries for deleted items. Nextcloud audit logging should capture retrieval of deleted pages; baseline normal behavior and alert on anomalies. If available, track which user accounts with guest status access the collective's trashbin feature and correlate with share configurations. Forensic review of collaboration timelines can reveal whether deleted content was unexpectedly viewed by external parties post-deletion. Organizations without native logging may enable verbose logging at the application level during investigation.

Why prioritize this

Despite a low CVSS score, this vulnerability warrants timely patching because it directly undermines a core security model: view-only guest access to collectives. The flaw demonstrates that Nextcloud's share-level access controls do not consistently guard deleted content, which could create false confidence in security posture. Prioritization should reflect organizational sensitivity to information disclosure and the prevalence of guest-based collaboration in the environment. Patch urgency is moderate—not critical—but should not be deferred indefinitely.

Risk score, explained

The CVSS 3.1 score of 2.6 (LOW) reflects that the vulnerability requires authentication (PR:L), accepts human interaction (UI:R), and results only in information disclosure (C:L, I:N, A:N). Attack complexity is high (AC:H) because the attacker must already be a guest on the shared collective. The score appropriately captures that this is not a system-wide compromise vector. However, context matters: in deployments where collectives routinely contain confidential information shared with external guests, the business risk may exceed the numerical score. Use CVSS as a baseline, not a ceiling, for prioritization.

Frequently asked questions

Can an attacker without any Nextcloud account exploit this?

No. The vulnerability requires that an attacker hold guest-level access to a shared collective. Unauthenticated internet users cannot exploit this. The threat model is limited to persons already granted collaboration rights, who then seek to view deleted content they should not see.

If we delete a collective entirely, does this vulnerability still apply?

The vulnerability specifically concerns deleted *pages* within a collective, not deletion of the collective itself. If a collective is deleted entirely, the trashbin mechanics differ. Consult Nextcloud's documentation for collective-level deletion behavior, but page-level deletion within an active collective is the attack surface.

Does view-only mode in private (non-shared) collectives have the same issue?

No. The vulnerability manifests when collectives are *shared* with guest users in view-only mode. Internal collectives or those shared only with authenticated organizational members are not affected by this particular flaw, though general security best practices still apply.

What is the actual impact if a guest sees a deleted page?

The guest sees the content of the deleted page—whatever text, attachments, or metadata was in it. This is an information disclosure event. The guest cannot modify the page, re-activate it, or alter the collective itself. The risk is reputational, compliance-related, and confidentiality-driven, depending on what was deleted.

This analysis is provided for informational purposes and represents a professional interpretation of publicly available vulnerability data as of the publication date. SEC.co does not provide legal, compliance, or risk management advice. Organizations must evaluate vulnerability impact in the context of their specific deployments, data classification, and regulatory obligations. Patch version numbers, affected product ranges, and timeline information are sourced from official vendor disclosures; customers should verify against Nextcloud release notes and security advisories before deployment. This vulnerability is not currently tracked as an actively exploited threat, but absence from public exploit databases does not guarantee absence of weaponization in targeted campaigns. Consult your incident response and asset management teams before making patching decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).