CVE-2026-45264: Nextcloud Permission Bypass Allows Unauthorized File Renaming in Team Folders
Nextcloud versions spanning 17.0.0 through 21.0.3 contain a permission bypass vulnerability that allows users with read and create access—but explicitly not update access—to rename files within team folders. This unintended capability undermines the granular permission model Nextcloud enforces, potentially enabling unauthorized modification of file metadata and organizational disruption. The issue affects a broad version range and has been patched across all active release lines.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient permission validation during file rename operations in team folder contexts. Nextcloud's permission model distinguishes between READ, CREATE, and UPDATE permissions; however, the rename functionality does not properly enforce the UPDATE permission requirement. A user granted READ and CREATE permissions can invoke rename operations without triggering the expected authorization check for UPDATE permissions. This is classified as an Improper Access Control issue (CWE-284). The network-based, low-complexity attack vector and low privilege requirement make this readily exploitable by any authenticated user with the specified permission set.
Business impact
While the CVSS score of 4.3 reflects moderate severity, the practical impact depends on deployment context. In environments where READ/CREATE permissions are broadly delegated (e.g., project teams uploading documents), unauthorized renaming could obscure file provenance, break downstream automation reliant on consistent naming conventions, or facilitate subtle data manipulation attacks. Compliance frameworks requiring audit trails and immutable naming schemes may be violated. For organizations using Nextcloud as a primary collaboration hub, widespread exploitation could degrade operational efficiency and create forensic gaps.
Affected systems
Nextcloud versions 17.0.0–17.0.14, 18.0.0–18.1.11, 19.0.0–19.1.15, 20.0.0–20.1.10, and 21.0.0–21.0.3 are vulnerable. Patched versions are 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4 respectively. Organizations running Nextcloud in any of these version ranges with team folders and delegated READ/CREATE permissions are at risk. The vulnerability does not require special configuration; it affects default permission enforcement.
Exploitability
Exploitability is straightforward for any authenticated user within the affected permission scope. No special tooling, unusual network conditions, or user interaction is required—the attacker simply invokes the rename API or UI action against a team folder file they have READ and CREATE access to. The low CVSS Access Complexity (AC:L) and Privileges Required (PR:L) rating reflects this ease of exploitation. However, widespread attack depends on the attacker already possessing appropriate permissions and identifying team folders with the vulnerable permission configuration.
Remediation
Upgrade to patched versions: 17.0.15 or later (17.x), 18.1.12 or later (18.x), 19.1.16 or later (19.x), 20.1.11 or later (20.x), or 21.0.4 or later (21.x). Patches restore proper permission enforcement, requiring UPDATE permission for all file rename operations. For environments unable to patch immediately, audit team folder permission assignments and consider temporarily restricting CREATE permissions for users who should not be able to rename files, though this may limit legitimate collaboration workflows.
Patch guidance
Nextcloud provides official patches for all affected version lines. Review your current Nextcloud version using the admin settings or command-line interface. Consult the official Nextcloud security advisory and your vendor's patch release notes to confirm the exact patched version available for your release line before upgrading. Test patches in a staging environment to verify compatibility with custom apps or integrations. Given the moderate severity and low complexity of exploitation, prioritize patching within 2–3 weeks. Follow Nextcloud's documented upgrade procedure, including database migration steps if applicable.
Detection guidance
Monitor Nextcloud logs for unusual file rename operations within team folders, particularly by users whose permission profiles should not permit renames. Review access logs for patterns of repeated rename attempts by low-privilege accounts. If your monitoring stack supports it, alert on any rename operation by a user account lacking explicit UPDATE permission on the affected resource. Post-patch, verify that rename operations now consistently require UPDATE permission by testing with constrained user accounts in a controlled setting.
Why prioritize this
Although not designated as Known Exploited Vulnerability (KEV) status and rated MEDIUM severity, this vulnerability merits prompt attention because: (1) exploitation requires no sophistication or special conditions beyond normal authentication; (2) it directly undermines the permission model users rely on for team collaboration and access control; (3) it affects five active version lines spanning nearly two years of releases; and (4) successful exploitation leaves subtle, potentially deniable audit trails that may complicate forensic response. Organizations with strict compliance requirements or audit trail dependencies should prioritize this above other MEDIUM-severity items.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects network accessibility, low attack complexity, and low privilege requirements, offset by limited integrity impact (no confidentiality or availability loss). The score appropriately captures technical exploitability but may underweight organizational risk in highly collaborative environments where file naming conventions and auditability are critical. Security teams should consider local factors—deployment sensitivity, user base size, and audit requirements—when mapping this score to internal risk ratings.
Frequently asked questions
Can an attacker rename files outside team folders or in contexts where they have UPDATE permission?
No. This vulnerability is specific to the permission bypass for team folder renames by users lacking UPDATE permission. Users with proper UPDATE permissions can already rename files, and the vulnerability does not extend to non-team folder contexts or other file operations.
What happens if we restrict all CREATE permissions while waiting for patches?
Restricting CREATE permissions would block the exploit but would also prevent legitimate users from uploading or creating new files, severely limiting collaboration. This is not a recommended temporary mitigation. Prioritize patching instead.
Does this vulnerability affect Nextcloud Server self-hosted and Nextcloud Managed Server equally?
Yes, the vulnerability affects both deployment models for the affected versions. However, Managed Server customers may receive patches faster through their hosting provider. Check with your provider on patch timelines.
Could renamed files trigger compliance violations or audit failures?
Potentially. If your compliance framework requires immutable file names or complete audit trails, unauthorized renames could create gaps or violations. After patching, verify that your audit logging correctly records all rename operations and that no backdated renames occurred during the vulnerable window.
This analysis is based on published vulnerability data as of June 2026 and vendor-provided patch information. Organizations should verify patch availability and compatibility in their specific Nextcloud deployment before applying updates. Testing in a staging environment is strongly recommended. This vulnerability summary does not constitute security advice tailored to your organization's risk profile; consult your security team and vendor advisories for deployment-specific guidance. No exploit code or weaponization details are provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler