CVE-2026-45157: Nextcloud File Share Token Abuse Exposes Chunked Upload Data
A vulnerability in Nextcloud Server allows a malicious user who has been granted access to a shared file to bypass intended restrictions and view temporary upload files during an ongoing chunked file transfer. The attacker leverages the share token—credentials normally intended only for accessing the shared file—to gain unauthorized access to the file upload staging area. This exposure occurs across specific versions of both the open-source Nextcloud Server and Nextcloud Enterprise Server.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient access control on the chunked upload endpoint. When Nextcloud processes large file uploads, it breaks them into parts stored temporarily on the server. The share token used to authorize access to a shared file is not properly restricted from being reused to enumerate or access these intermediate chunks. An authenticated attacker with an active file share token can directly request the chunking upload API and retrieve partial files that belong to ongoing uploads, even if those uploads are unrelated to the attacker's intended access. The issue affects Nextcloud Server 32.0.0–32.0.8 and 33.0.0–33.0.2, as well as multiple versions of the Enterprise edition.
Business impact
This vulnerability creates a data exposure risk in collaborative environments where file sharing is frequent. An insider or compromised account with legitimate share access can view sensitive data mid-upload before a user completes the transfer and before standard file access controls would apply. This is particularly concerning for organizations handling confidential documents, personal information, or regulated data. While the severity is moderate, the risk scales with the volume of file collaboration and the sensitivity of data commonly uploaded through Nextcloud instances.
Affected systems
Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2 are directly vulnerable. Nextcloud Enterprise Server is affected across multiple legacy versions: 26.0.0–26.0.12, 27.1.0–27.1.10, 28.0.0–28.0.13, 29.0.0–29.0.15, 30.0.0–30.0.16, 31.0.0–31.0.13, and 32.0.0–32.0.8. Any organization running these specific versions with active file sharing enabled should be considered at risk.
Exploitability
Exploitation requires an authenticated user account with an active file share token. An attacker cannot exploit this remotely without first obtaining legitimate share access to at least one file. The attack is not user-interaction dependent from the attacker's perspective—once a token is in hand, the attacker can directly query the chunking upload endpoint. The barrier to exploitation is moderate: an insider, a user with a shared link, or an account that has been compromised can execute the attack with minimal technical sophistication. This is not listed in the CISA KEV catalog, indicating no known widespread active exploitation at the time of publication.
Remediation
Immediate action is to upgrade to patched versions. For Nextcloud Server, update to 32.0.9 or 33.0.3 or later. For Enterprise deployments, consult the vendor advisory for the appropriate patched version corresponding to your currently deployed branch (26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9, or 33.0.3). There is no known workaround; patching is the only remediation. Organizations should prioritize patching based on the version currently deployed and the sensitivity of data on the instance.
Patch guidance
Verify your current Nextcloud version via the administration panel or command line. Cross-reference your version against the affected ranges. If you are on an affected branch, plan a maintenance window and upgrade to the specified patched version. Nextcloud provides incremental update paths; do not skip major versions unless explicitly supported by the upgrade wizard. Test in a non-production environment first. Enterprise customers should verify their specific branch against the vendor advisory, as patch versions vary by branch. After patching, restart Nextcloud services and confirm functionality of file sharing and uploads.
Detection guidance
Monitor access logs for repeated or anomalous requests to `/ocs/v2.php/apps/files/api/v1/chunking/` or similar chunking endpoints using valid but unusual share tokens. Look for patterns where a single share token is used to access multiple unrelated chunks or uploads. Implement logging on file upload events and cross-correlate share token usage with file access. In high-security environments, audit all active share tokens and review which accounts hold them. Intrusion detection systems should flag requests that combine share token authentication with direct access to staging directories.
Why prioritize this
This vulnerability merits prompt but not emergency patching. The CVSS score of 6.3 (Medium) reflects that exploitation requires prior authentication and results in data confidentiality loss without integrity or availability compromise. However, the ease of exploitation for any user with a share token and the potential to expose sensitive data in transit make it a priority for organizations with stringent data protection requirements or frequent file collaboration. Enterprises handling regulated data (HIPAA, GDPR, PCI) should treat this as high-priority within their patch cycle. Public-facing Nextcloud instances and those with sensitive intellectual property should be patched within 2–4 weeks.
Risk score, explained
The CVSS 3.1 score of 6.3 (Medium) is derived from: Network-based attack vector (AV:N), low attack complexity (AC:L), and requirement for valid user authentication (PR:L). The confidentiality impact is rated high (C:H) because chunks of any file can be read if an attacker holds a share token. Integrity is rated low (I:L) due to minimal scope for modification, and availability is not impacted (A:N). The user interaction requirement (UI:R) reflects that the attacker must persuade a legitimate user to share a file or the attacker must already have a share token in hand. The overall score appropriately reflects a moderate-severity data exposure risk that is real but constrained by authentication requirements.
Frequently asked questions
Can an unauthenticated attacker exploit this?
No. The attacker must possess a valid share token or authenticated user credentials. Exploitation is possible only for users with existing access to shared files or active Nextcloud accounts.
Does this vulnerability affect all file uploads?
Only large uploads that use Nextcloud's chunked transfer mechanism are exposed via this vulnerability. Small files that upload in a single request are not affected. Additionally, only the temporary staging files are exposed; the attacker cannot modify or delete files already stored in Nextcloud.
Is there a workaround if I cannot patch immediately?
Unfortunately, no reliable workaround exists. The vulnerability is architectural and affects the share token mechanism itself. Restricting file sharing until patching can be applied is the only interim risk reduction measure, but this severely limits collaboration capabilities.
Does this vulnerability result in remote code execution?
No. The vulnerability is limited to unauthorized reading of temporary file chunks. There is no evidence of code execution or privilege escalation. The impact is data confidentiality loss only.
This analysis is provided for informational purposes and represents the state of knowledge as of the published date. CVSS scores, patch versions, and affected product versions are sourced from the official Nextcloud security advisory. Organizations should verify patch applicability against their specific deployment. This document does not constitute legal or compliance advice. SEC.co makes no warranty as to the completeness or accuracy of remediation paths and recommends consulting Nextcloud support for enterprise deployments. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler