CVE-2026-45155: Nextcloud Server Circles Authorization Bypass – Membership Tracking Risk
Nextcloud Server contains a flaw in its circles feature that allows authenticated users to add unknown circles to other circles by directly referencing their IDs, potentially enabling membership tracking. While circle IDs are designed with high complexity (62^15 combinations), if an attacker obtains a valid circle ID through other means, they could exploit this missing access control. The vulnerability requires an authenticated session and user interaction to exploit, making opportunistic attacks unlikely but targeted attacks possible if circle IDs are discovered.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 2.6 LOW · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45155 is an authorization bypass affecting Nextcloud Server versions 32.0.0–32.0.6 and 33.0.0–33.0.0. The API endpoint responsible for circle membership management fails to validate whether the requesting user has permission to add unknown circles by ID to target circles. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the API accepts circle IDs as direct input without confirming the requester's access rights. Although circle IDs employ 62^15 algorithmic complexity, the weakness allows membership enumeration and potential social engineering if IDs are leaked or discovered through side channels.
Business impact
Organizations using Nextcloud as a collaboration platform face a risk of unauthorized circle membership tracking. An authenticated attacker with knowledge of valid circle IDs could monitor or infer collaboration patterns, potentially exposing organizational structure or sensitive project affiliations. While the barrier to exploitation is high due to the need for valid circle IDs and user interaction, the confidentiality impact—tracking who collaborates on what—could matter in competitive or regulated environments where project teams must remain confidential.
Affected systems
Nextcloud Server versions 32.0.0 through 32.0.6 and 33.0.0 through 33.0.0 are vulnerable. Nextcloud Enterprise Server users running versions 29.0.x through 32.x are affected until patched to the specified maintenance builds. Nextcloud Server instances deployed in either community or enterprise editions with the circles app enabled and exposed to authenticated users are at risk. Self-hosted and SaaS-deployed instances are both in scope.
Exploitability
Exploitation requires an authenticated Nextcloud user account and knowledge of a target circle's ID. The attack vector is network-based and does not require elevated privileges within Nextcloud, though it does require valid credentials. The high complexity of circle IDs (62^15) makes random guessing impractical; attackers must obtain IDs through legitimate access to the platform, external leaks, or error messages. User interaction is noted in the CVSS vector, likely reflecting the need for social engineering or an action that exposes circle IDs. Public exploit code is not known, and the vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog.
Remediation
Upgrade Nextcloud Server to version 32.0.7 or 33.0.1 immediately. For Nextcloud Enterprise Server, apply the appropriate maintenance release: 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1, depending on your version line. These patches restore authorization checks to the circle API endpoints. Review access logs for any suspicious circle additions during the vulnerability window. Consider temporarily disabling the circles app in sensitive deployments if immediate patching is not feasible.
Patch guidance
Nextcloud releases patches through its security update channels. Community administrators should enable automatic updates or manually download patched builds from the Nextcloud download portal. Enterprise customers should consult their support contract for staged rollout guidance. Test patches in a non-production environment first to confirm compatibility with custom circles configurations or integrations. After patching, audit circle memberships for any unauthorized additions and revoke suspicious entries.
Detection guidance
Monitor API logs for unusual calls to circle membership endpoints (typically `/ocs/v2.php/apps/circles/*` patterns) originating from non-administrative accounts. Flag cases where circle IDs are added by users who have no documented collaboration relationship with those circles. Implement alerts on circle membership changes, especially for sensitive or high-value circles. Review authentication logs for sessions that accessed the circles API but did not correspond to known user workflows. Security Information and Event Management (SIEM) rules can correlate failed and successful circle-related API calls to identify reconnaissance attempts.
Why prioritize this
Despite the LOW CVSS score (2.6), this vulnerability merits patching in standard maintenance cycles rather than emergency response. The confidentiality risk—unauthorized visibility into collaboration patterns—is non-trivial in regulated or competitive industries. However, the requirement for valid circle IDs and authenticated access significantly reduces risk in most deployments. Organizations should prioritize patching if they consider project team information sensitive or if they suspect external parties may have circle ID information. Standard patch windows are appropriate for most enterprises.
Risk score, explained
The CVSS 3.1 score of 2.6 (LOW) reflects the attack vector (network-accessible but requiring authentication), high attack complexity (needing a valid circle ID), and limited impact scope (confidentiality only, no integrity or availability impact). The user interaction requirement further constrains the rating. However, the score does not capture context-specific risks: organizations where team affiliation is a trade secret or where circles contain sensitive information may warrant higher internal risk ratings independent of the base CVSS.
Frequently asked questions
Can an unauthenticated attacker exploit this?
No. The vulnerability requires a valid Nextcloud account and authenticated session. Unauthenticated attackers cannot access the circle API endpoints.
What is the likelihood an attacker will randomly guess a valid circle ID?
Extremely low. With 62^15 possible combinations, brute force is computationally infeasible. An attacker must obtain a valid ID through legitimate platform access, leaks, or information disclosure in error messages.
Does this vulnerability allow an attacker to read private circle content?
No. The flaw is limited to adding circles to other circles and enabling membership tracking. It does not grant access to files, messages, or other circle data. Confidentiality impact is restricted to the fact that a collaboration relationship exists.
Are on-premises and cloud-hosted Nextcloud instances equally affected?
Yes. The vulnerability affects any Nextcloud Server deployment within the vulnerable version ranges, regardless of hosting model. Patch availability and deployment timeline may differ, but both are in scope.
This analysis is based on the CVE record published 2026-06-01 and last modified 2026-06-17. Readers must verify vendor security advisories and patch version numbers against official Nextcloud documentation before deploying updates. This summary does not constitute security advice specific to any organization's infrastructure or risk profile. SEC.co makes no warranty regarding exploit availability, real-world attack prevalence, or operational impact in specific environments. Organizations should conduct their own risk assessment and testing prior to applying patches or operational changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-24761LOWKiteworks IDOR Vulnerability in Secure Data Forms
- CVE-2026-45159LOWNextcloud Encrypted Drop Link Authorization Bypass
- CVE-2026-47713LOWAnythingLLM Pre-Migration Token Privilege Escalation & Data Exposure
- CVE-2025-14772HIGHABB T-MAC Plus Authorization Bypass (CVSS 8.8)
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance