LOW 3.5

CVE-2026-45159: Nextcloud Encrypted Drop Link Authorization Bypass

Nextcloud's end-to-end encrypted file drop feature contained a logic flaw that allowed a user with drop-link access to place files into other encrypted folders owned by the share recipient—without being able to read or modify existing files. The vulnerability affects multiple version lines and has been patched across all active branches.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-639
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in Nextcloud's handling of end-to-end encrypted drop links. When a user receives a drop link to an encrypted folder, the application failed to properly validate and enforce the scope of the file placement operation. This resulted in an authorization bypass where the authenticated user could write files to sibling or parent encrypted directories beyond their intended drop target. The CWE-639 classification (Authorization Bypass Through User-Controlled Key) reflects the core issue: improper key or permission scope enforcement. File contents remain encrypted and inaccessible to the attacker, and existing files cannot be read or modified—the attack surface is limited to unauthorized file placement.

Business impact

Organizations using Nextcloud's encrypted file sharing—particularly those handling sensitive or regulated data—face a data integrity risk. While confidentiality is maintained by the encryption layer, an attacker could pollute other users' encrypted folders with malicious or spurious files, potentially triggering incident response, data reconciliation, or compliance audit overhead. The impact is moderate for most deployments because actual data exfiltration or modification is not possible, but organizations with strict data governance policies may view unauthorized writes as a material control failure.

Affected systems

Nextcloud versions 1.15.0–1.15.3, 1.16.0–1.16.2, 1.17.0, and 1.18.0 are affected. Patched versions are 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7. Organizations should verify their running version against these ranges; the issue spans multiple release lines, suggesting a systemic logic flaw rather than a single-version regression.

Exploitability

Exploitation requires valid authentication and an active drop link to an end-to-end encrypted folder—a moderate barrier. An authenticated user with legitimate access to one encrypted drop target could exploit this to write files into unintended folders. There is no evidence of public exploit code or active exploitation in the wild. The CVSS score of 3.5 (LOW) reflects the combination of network accessibility, low attack complexity, and limited impact (integrity only, no confidentiality or availability loss).

Remediation

Upgrade to the patched versions immediately: 1.15.4, 1.16.3, 1.17.1, 1.18.1, or 2.0.0-rc.7 or later. Organizations running unsupported or very old versions should prioritize upgrading to a current, patched release. Given the LOW severity score and the requirement for authentication and a valid drop link, remediation should be scheduled in your next planned maintenance window, though prompt patching remains prudent to eliminate the control gap.

Patch guidance

Review your Nextcloud deployment version using the admin dashboard or CLI (nextcloud -v or equivalent). Match against the affected ranges: 1.15.0–1.15.3, 1.16.0–1.16.2, 1.17.0, 1.18.0. If you are in an affected range, download the corresponding patched version from the official Nextcloud release repository and follow the vendor's upgrade procedure, which typically involves backing up your database and file store, uploading the new code, and running the upgrade script. Test in a non-production environment first to verify compatibility with your plugins and custom configuration. Verify the patch success by confirming the new version in the admin panel and reviewing the changelog for any breaking changes.

Detection guidance

Monitor Nextcloud application logs (typically in the data directory) for suspicious file placement activity, particularly writes to encrypted folders by users who should not have access to those targets. Review access logs for drop-link usage patterns—unexplained or repeated access to multiple drop links by the same user may indicate exploitation. Network-level monitoring can flag unusual POST/PUT requests to encrypted folder endpoints, though this requires tuning to avoid false positives. After patching, validate that the authorization logic correctly restricts file placement to the intended drop target only.

Why prioritize this

Although the CVSS score is LOW and the vulnerability requires authentication, it directly undermines the integrity guarantee of Nextcloud's encrypted file-sharing feature. Organizations that rely on end-to-end encryption for data protection should treat this as a control bypass and prioritize patching to maintain the security posture of their file collaboration infrastructure. The fact that multiple version lines are affected suggests a non-trivial design flaw worth addressing promptly, even if exploitation likelihood is low.

Risk score, explained

The CVSS 3.1 score of 3.5 (LOW) is derived from a network-accessible service (AV:N) requiring low attack complexity (AC:L) and authenticated user privileges (PR:L). The risk is further reduced by the user interaction requirement (UI:R), uniform scope (S:U), and impact limited to integrity (I:L) with no confidentiality or availability damage. However, this score does not fully capture the design-level trust violation: a feature sold on encryption and access control is bypassed, which may warrant internal risk elevation based on your security policies.

Frequently asked questions

Can an attacker read or modify files in other encrypted folders?

No. The vulnerability permits unauthorized file placement (writing new files) only. Existing files remain encrypted and unreadable; they cannot be modified or deleted. The attacker cannot access the contents of other folders.

Do I need to rotate encryption keys after patching?

Not unless you suspect active exploitation has occurred. The encryption keys themselves are not compromised. However, if you suspect an attacker wrote malicious files into your encrypted folders, you should audit the contents of those folders and remove any suspicious additions before and after patching.

Is this vulnerability listed on CISA's KEV catalog?

No, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog. There is currently no evidence of active, weaponized exploitation in the wild.

What if I cannot patch immediately due to operational constraints?

Implement compensating controls: disable or restrict access to end-to-end encrypted drop links until you can patch, or limit drop link recipients to a small, trusted set of users. Monitor encrypted folder activity closely for unauthorized file creation. Prioritize patching in your next change window, as the attack surface remains open until the authorization logic is fixed.

This analysis is based on the publicly disclosed CVE record and vendor advisory as of the publication date. Version numbers, patch guidance, and affected ranges should be verified against the official Nextcloud security advisory and release notes before implementation. SEC.co makes no warranty regarding the completeness or applicability of this guidance to any specific deployment. Organizations are responsible for assessing their own risk and conducting thorough testing in non-production environments before applying patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).