CVE-2026-45156: Nextcloud OIDC ID4me Signature Verification Bypass – Authentication Bypass Vulnerability
Nextcloud's User OIDC (OpenID Connect) authentication system fails to verify signatures from ID4me identity authorities. An attacker controlling a malicious ID4me authority can forge authentication tokens to impersonate any user on an affected Nextcloud instance. This is a high-severity authentication bypass that requires user interaction—typically a user clicking a login link or being redirected to a compromised identity provider. The vulnerability spans multiple version branches and has been patched across supported releases.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-287
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Nextcloud's OIDC authentication flow between versions 0.3.0–3.0.x, 5.0.0–5.0.x, and 6.0.0–6.3.x. When a user authenticates via an ID4me authority, Nextcloud fails to cryptographically verify the signature of the returned ID token. An attacker who controls or can redirect traffic to an ID4me-compatible authority can issue valid-appearing tokens for any user identity without possession of legitimate signing credentials. The attack vector is network-based with low attack complexity; user interaction is required (the user must initiate or be socially engineered into an authentication attempt). The CVSS 3.1 vector reflects high confidentiality and integrity impact with no availability impact.
Business impact
Successful exploitation allows an attacker to gain unauthorized access to Nextcloud user accounts without credentials. This bypasses multi-factor authentication protections that may be in place on the actual user account. An attacker can access, modify, or exfiltrate sensitive documents, calendar data, contacts, and other collaboration assets. The impact scales with the privilege level of compromised accounts—compromise of admin accounts grants full platform control. Organizations using Nextcloud for file sharing, project collaboration, or regulated content storage face data breach, compliance violation, and operational disruption risks.
Affected systems
Nextcloud versions 0.3.0 through 3.0.x, 5.0.0 through 5.0.x, and 6.0.0 through 6.3.x are affected. Patched versions are 3.1.0, 4.1.0, 5.1.0, 6.4.0, and 8.3.0. Organizations must identify which version branch they operate and upgrade to the corresponding patched release. Users of version 4.x and earlier, or those between version branches, should verify patch availability against official Nextcloud security advisories.
Exploitability
The vulnerability requires network access and user interaction but has low technical complexity. An attacker must either control an ID4me authority or intercept and redirect authentication traffic. The attack is not directly exploitable against a user passively; however, phishing campaigns directing users to login portals or legitimate login flows initiated by the user are viable attack scenarios. No public exploit code availability is currently documented, but the signature verification bypass is a well-understood authentication attack pattern. The barrier to exploitation is moderate—an attacker needs infrastructure and social engineering capability but not advanced tooling.
Remediation
Organizations must upgrade to patched Nextcloud versions immediately: 3.1.0 or later for the 3.x branch, 4.1.0 or later for the 4.x branch, 5.1.0 or later for the 5.x branch, 6.4.0 or later for the 6.x branch, or 8.3.0 or later for the 8.x branch. Verify your current version and branch mapping against official Nextcloud release notes. If immediate patching is not feasible, disable OIDC authentication via ID4me authorities until patches can be deployed. Review access logs for suspicious authentication patterns or anomalous user account activity post-compromise.
Patch guidance
Nextcloud has released patched versions across all affected branches. Consult the Nextcloud security advisory corresponding to your version series for specific upgrade paths. Test patches in a staging environment before production deployment to ensure compatibility with custom authentication flows or OIDC configurations. Organizations running self-hosted Nextcloud should prioritize upgrades to the latest stable release in their branch. Cloud-hosted Nextcloud instances should verify that their hosting provider has applied patches; contact support if version information is unavailable.
Detection guidance
Monitor authentication logs for successful OIDC sign-ins followed by anomalous user behavior: unusual file access patterns, data downloads outside normal business hours, or privilege escalation attempts. Examine ID token claims in OIDC logs for mismatches between the authenticated user identity and subsequent account activity. Alert on failed signature verification errors in Nextcloud debug logs if available. Cross-reference login timestamps and source IP addresses against user travel or normal access patterns. Organizations with SIEM integration should create correlation rules linking OIDC authentication events to subsequent high-risk actions.
Why prioritize this
This vulnerability merits immediate prioritization due to its HIGH CVSS score (8.1), direct impact on authentication integrity, and the broad attack surface across multiple Nextcloud versions. Authentication bypass vulnerabilities are frequent targets for APT and commodity attackers seeking initial access. The requirement for user interaction slightly reduces urgency compared to zero-click exploits but does not diminish risk given the prevalence of phishing and social engineering. Organizations hosting sensitive data or operating in regulated industries should treat this as a critical patch.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects a HIGH severity assessment. Network vector (AV:N) and low attack complexity (AC:L) indicate broad exploitability. The requirement for user interaction (UI:R) prevents a critical rating. High impact to confidentiality (C:H) and integrity (I:H) reflects full user account compromise and potential data manipulation. Absence of availability impact (A:N) acknowledges that the attack does not directly disrupt service. The scoring appropriately reflects the serious but bounded nature of authentication bypass attacks.
Frequently asked questions
Do we need to upgrade all Nextcloud instances, or just specific versions?
Yes, you must upgrade if your instance version falls within the affected ranges: 0.3.0–3.0.x, 5.0.0–5.0.x, or 6.0.0–6.3.x. Version 4.x and early versions prior to 0.3.0 are not mentioned as affected. Use 'occ status' or the admin panel to confirm your version. Consult the official Nextcloud security advisory to determine your specific upgrade target.
If we disable OIDC login, are we safe until we can patch?
Disabling ID4me OIDC authentication eliminates this specific vulnerability's attack surface. However, you should not rely on disabling features as a permanent mitigation. Patch as soon as feasible. If you must delay patching, document the business justification and implement compensating controls such as enhanced monitoring and IP whitelisting for Nextcloud access.
Can this vulnerability affect our single sign-on (SSO) setup if we use a different OIDC provider?
This vulnerability is specific to ID4me authorities. If you use a different OIDC provider (Okta, Keycloak, Azure AD, etc.), you are not affected by this particular issue unless that provider is also misconfigured or compromised. However, review your OIDC configuration to ensure your primary identity provider enforces token signature verification on their end.
What should we look for in logs to confirm if we've been compromised?
Search authentication logs for successful OIDC logins without corresponding user-initiated requests, or logins from unusual geographies or IP addresses. Cross-reference these events with subsequent user activities: unexpected file accesses, sharing events, or system configuration changes. If you have SIEM or log aggregation, correlate OIDC sign-in events with downstream API calls or administrative actions that differ from the user's baseline behavior.
This analysis is provided for informational purposes and should not be considered legal or compliance advice. Organizations are responsible for assessing their own exposure, conducting testing, and validating patches before deployment. Patch version numbers and affected ranges are based on vendor advisory data current as of the publication date; verify against official Nextcloud security releases and your instance configuration. This vulnerability analysis does not constitute a guarantee of patch effectiveness or applicability to custom Nextcloud deployments. Consult Nextcloud documentation and your hosting provider's advisory for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk
- CVE-2026-10167HIGHAuthentication Bypass in BrinaryBrains School Management System
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10288HIGHHotel Reservation System Admin Authentication Bypass
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-10619HIGHsayan365 Student-Management-System Remote Authentication Bypass
- CVE-2026-10777HIGHealpha072 Student-Management-System Authentication Bypass in Admin Backend