LOW 3.3

CVE-2026-45278: Nextcloud OIDC Open Redirect Vulnerability – Patch Available

Nextcloud's user OIDC (OpenID Connect) module contains an open redirect vulnerability that allows attackers to craft malicious login links. When users click these links to authenticate via OIDC, they are redirected to attacker-controlled websites after logging in. This affects Nextcloud versions 6.1.0 through 8.2.1. The vulnerability has a low CVSS score because it requires user interaction and does not directly compromise confidentiality or availability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-601
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45278 is an open redirect vulnerability (CWE-601) in the Nextcloud user_oidc module. The flaw allows attackers to inject arbitrary URLs into login redirect flows. When a user authenticates via OIDC using an attacker-crafted link, the application redirects them to a URL controlled by the attacker after successful authentication. The vulnerability stems from insufficient validation or sanitization of redirect parameters in the OIDC authentication handler, a common pattern in OAuth/OIDC implementations when destination URLs are not properly validated against a whitelist.

Business impact

Open redirects in authentication flows can facilitate phishing and credential harvesting. Post-login redirection to attacker sites increases the risk of malware distribution or secondary exploitation, as users may trust the redirect context following a successful login event. For organizations relying on Nextcloud for file collaboration and content management, this could undermine user confidence in the authentication process and create vectors for social engineering attacks. The impact is moderate in scope because it requires user action and awareness to be exploited effectively.

Affected systems

Nextcloud user_oidc module versions 6.1.0 through 8.2.1 are affected. Organizations using Nextcloud with OIDC-based user authentication should audit their deployments to confirm the version in use. This affects both self-hosted Nextcloud instances and any Nextcloud deployment integrating external identity providers via OIDC.

Exploitability

Exploitation requires social engineering: an attacker crafts a malicious login link and sends it to a user, relying on them to click it. No authentication or special privileges are required on the attacker's side. The attack has low complexity but depends on user interaction (UI:R in the CVSS vector). The open redirect occurs only after successful authentication, which may reduce perceived urgency for the user to notice or question the redirect destination. This makes it suitable for targeted phishing campaigns but not mass exploitation without significant social effort.

Remediation

Upgrade to Nextcloud version 8.2.2 or later. This version contains the patch that validates and sanitizes redirect URLs in the OIDC authentication flow. Organizations should treat this as a routine security update rather than an emergency patch given the low CVSS score, but it should still be prioritized in the normal patching cycle, particularly if the Nextcloud instance is exposed to untrusted networks or used in high-security environments.

Patch guidance

Apply Nextcloud version 8.2.2 or newer to all affected instances. Verify the patch by confirming the version in Nextcloud's admin panel (Settings > Administration > Overview) or via command-line tools (e.g., `occ config:system:get version`). Test the patch in a non-production environment first to ensure OIDC authentication continues to function correctly with your identity provider. No configuration changes are required post-patch; the security fix is applied transparently.

Detection guidance

Monitor authentication logs for unusual redirect patterns or URL parameters in OIDC login requests. Look for redirect parameter manipulation in web server or application logs. Examine OIDC provider logs for unexpected post-authentication redirects to external domains. Implement URL schema validation at the network level if possible, and educate users to verify that post-login redirects align with expected Nextcloud domains. Organizations may also monitor for phishing complaints correlated with Nextcloud login attempts.

Why prioritize this

This vulnerability merits standard (not urgent) priority in most environments. The CVSS score of 3.3 reflects low severity, and real-world exploitation requires social engineering. However, organizations in highly sensitive environments (government, financial, healthcare) should patch sooner due to the phishing and credential theft vectors. Prioritize patching for externally facing Nextcloud instances or those accessed by high-value users who may be targeted. Internal-only deployments can follow routine update schedules.

Risk score, explained

The CVSS 3.1 score of 3.3 (LOW) reflects: Attack Vector Local (AV:L) acknowledges the attacker must craft and deliver a link; Attack Complexity Low (AC:L) because link crafting is trivial; Privileges Required None (PR:N) as no account is needed; User Interaction Required (UI:R) because the victim must click the link; Scope Unchanged (S:U) as impact is limited to the user's session; Confidentiality None (C:N) as no data is exposed; Integrity Low (I:L) because the redirect may lead to malicious content; Availability None (A:N). The score appropriately captures a phishing-grade threat that is real but constrained by user agency.

Frequently asked questions

Can this vulnerability steal my Nextcloud password?

No. The vulnerability does not intercept or capture credentials. However, attackers can craft links that, after you successfully log in with your real password, redirect you to a fake website that resembles Nextcloud or your identity provider. This could be used to trick you into re-entering credentials or downloading malware. The key defense is to verify that redirects point to legitimate Nextcloud domains and to never re-enter credentials after a redirect.

Does this affect Nextcloud instances using local user accounts instead of OIDC?

No. This vulnerability is specific to the user_oidc module and only affects deployments that use OpenID Connect for authentication. If your Nextcloud instance uses built-in user accounts or other authentication methods (LDAP, SAML), this CVE does not apply. Check your Nextcloud admin settings to confirm which authentication method is in use.

Is there a workaround if we cannot patch immediately?

Workarounds are limited, but you can reduce risk by restricting OIDC login links to trusted networks, disabling external access to the OIDC login endpoint if not required, and educating users to inspect URLs before clicking login links. However, these are temporary measures. Patching to version 8.2.2 or later is the definitive fix and should be planned as soon as feasible.

Why is the CVSS score so low if this is a security issue?

The score reflects that the vulnerability requires user interaction and does not result in data theft or system outage. However, 'low' CVSS does not mean 'unimportant.' Open redirects are widely exploited in phishing campaigns and can erode user trust. Prioritize based on your organization's risk tolerance and user exposure, not solely on CVSS.

This analysis is provided for informational purposes and reflects the vulnerability as described in official sources. Organizations should verify all patch version numbers and compatibility against the official Nextcloud security advisory and release notes before deployment. Testing in a non-production environment is strongly recommended. This document does not constitute legal or compliance advice. SEC.co makes no warranty regarding the completeness or accuracy of this analysis beyond the source data provided. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).