LOW 3.5

CVE-2026-45266: Nextcloud Unauthorized Call Microphone Mute Vulnerability

A flaw in Nextcloud allows any authenticated user to remotely mute other participants' microphones during calls, but only when the deployment lacks a High-performance Backend configuration. This is a low-severity integrity issue that affects call participants' ability to communicate via audio.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-284
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45266 is an improper access control vulnerability (CWE-284) in Nextcloud's call handling mechanism. A low-privileged, authenticated user can send requests that force other users' microphones to mute state without their consent. The vulnerability exists in call signaling logic and is only exploitable when Nextcloud is deployed without a High-performance Backend (HPB)—a component that normally adds stricter validation and authorization controls around call state changes. The attack requires network access and user interaction from the target (UI:R per CVSS vector), meaning the victim must have an active call session.

Business impact

Disruption of voice communication within Nextcloud Talk can harm remote team collaboration, training sessions, and client meetings. While an attacker cannot eavesdrop or steal data, the ability to silence participants without their knowledge creates a denial-of-service condition for audio communication. For organizations relying on Nextcloud as their primary unified communications platform, this could undermine meeting effectiveness and user trust in the platform's reliability.

Affected systems

Nextcloud versions prior to 21.1.10, 22.0.11, and 23.0.3 are affected. Deployments are vulnerable only if they do not have a High-performance Backend installed and configured. Administrators using HPB are already protected. Community editions and self-hosted instances without HPB represent the primary exposure.

Exploitability

Exploitation requires valid Nextcloud credentials and an active call involving the target user. The attack is straightforward—a malicious user joins a call and sends crafted requests to mute others—making it low-effort once authenticated. However, the requirement for user interaction (the target must be in an active call) and the absence of remote code execution or privilege escalation limits real-world impact. This is not remotely exploitable from the internet without prior account compromise.

Remediation

Upgrade to Nextcloud 21.1.10, 22.0.11, or 23.0.3 or later. Organizations on older major versions should plan upgrades according to their support lifecycle. Alternatively, implement a High-performance Backend, which mitigates the vulnerability through stricter authorization enforcement on call state changes. Verify patch deployment in your Nextcloud administration console.

Patch guidance

Administrators should prioritize patching in the next routine maintenance window. Download the patched versions directly from the official Nextcloud release channels. For containerized deployments, update your Nextcloud image to the patched version and redeploy. For source installations, pull the latest code from the official repository. After patching, restart Nextcloud services and verify call functionality in a test call before resuming production use.

Detection guidance

Monitor Nextcloud logs for repeated call-state modification requests from low-privileged accounts, particularly those that result in mute events for other users. Look for unusual patterns in talk_commands or signaling logs around audio control. If you lack High-performance Backend, review call logs during suspected incident windows to correlate mute events with unauthorized user actions. Network-level detection is difficult without call protocol inspection; log-based detection is more practical.

Why prioritize this

Although CVSS 3.5 (LOW) reflects minimal confidentiality and availability impact, this vulnerability directly impairs a core communication feature. Prioritize patching if your organization relies on Nextcloud Talk for day-to-day collaboration or if you have low-privileged user populations with call access. If you deploy High-performance Backend, this is lower priority. For smaller teams or internal deployments, routine patching within 30 days is appropriate.

Risk score, explained

The CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N score of 3.5 (LOW) reflects: Network-accessible attack surface, low attack complexity, low-privilege attacker requirement, but user interaction needed (call must be active). No confidentiality loss, minor integrity impact (audio control), no availability loss at system level. The score appropriately reflects that this is a nuisance attack with limited scope rather than a critical vulnerability.

Frequently asked questions

Do I need to patch if I use Nextcloud High-performance Backend?

No. HPB provides the authorization controls that prevent this attack. However, you should still apply the patch as a defense-in-depth measure and to be covered against any future variants. Check your Nextcloud admin panel to confirm HPB is active.

Can an attacker remotely exploit this without an account?

No. The attacker must be an authenticated Nextcloud user and must participate in or join an active call. Public instances or strict access controls reduce risk significantly.

Will a low CVSS score mean I should delay patching?

Not necessarily. CVSS 3.5 reflects technical impact, not business risk. If Nextcloud Talk is critical to your operations or you have untrusted internal users, prioritize patching sooner. Routine maintenance windows within 30 days are reasonable for lower-risk environments.

How do I know if my Nextcloud deployment is vulnerable?

Check your Nextcloud version (Settings > About) against the patched versions (21.1.10+, 22.0.11+, 23.0.3+). Then check Administration > System > Performance to see if High-performance Backend is enabled. If your version is below the patch threshold and HPB is not enabled, you are vulnerable.

This analysis is based on published CVE data as of June 2026. CVSS scores and severity classifications reflect NIST standards and may not align with your organization's risk appetite or business context. Always verify patch applicability against your specific Nextcloud version and configuration before applying updates. Consult the official Nextcloud security advisory for authoritative remediation steps. This content is for informational purposes and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).