CVE-2026-45279: Nextcloud Server Path Traversal Allows Unauthorized File Copy
Nextcloud Server contains a path traversal vulnerability that allows non-admin users to copy files into their own Nextcloud directories in certain scenarios. The vulnerability exists in specific versions and depends on underlying Unix file system permissions. An attacker would need already-elevated user privileges within Nextcloud to exploit this issue, limiting the practical threat surface.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
A path traversal vulnerability (CWE-22) has been identified in Nextcloud Server affecting versions 31.0.0 through 31.0.13 and 32.0.0 through 32.0.3. The vulnerability stems from improper handling of the {lang} placeholder in template directory configuration values. When this placeholder is used, the application fails to adequately sanitize user-supplied path inputs, permitting authenticated users to traverse directory structures and copy arbitrary files into their own user-controlled directories. Exploitation success depends on the underlying Unix file system permissions governing the source files and destination locations.
Business impact
This vulnerability could lead to unauthorized file disclosure or file placement within user directories, potentially exposing sensitive configuration files, shared content, or other data stored on the Nextcloud instance. The impact is confined to file operations within the scope of Unix permissions, so the blast radius depends heavily on file ownership and access controls. For organizations running affected Nextcloud versions, this represents a medium-severity insider risk requiring prompt attention.
Affected systems
Nextcloud Server open-source installations versions 31.0.0 through 31.0.13 and 32.0.0 through 32.0.3 are vulnerable. Nextcloud Enterprise Server users should verify their version against the following patch guidance. Organizations using maintained branches (e.g., version 30, 29, 28) should also monitor for recommended updates.
Exploitability
Exploitation requires an authenticated Nextcloud user account—non-admin users can trigger this issue in certain configurations. The CVSS score of 4.4 (Medium) reflects the high access privileges required (PR:H), complex attack conditions (AC:H), and limited confidentiality impact (C:H). This is not a remote unauthenticated vulnerability and is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no active public exploitation has been confirmed.
Remediation
Nextcloud Server users must upgrade to version 31.0.14 or later, or 32.0.4 or later, depending on their current branch. Nextcloud Enterprise Server users should upgrade to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, or 28.0.14.15 as applicable. Verify your current version in the Nextcloud administration panel and cross-reference against the vendor advisory before patching.
Patch guidance
Open-source Nextcloud Server: Upgrade to 31.0.14 or 32.0.4 or later. Nextcloud Enterprise Server: Upgrade to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, or 28.0.14.15 depending on your currently supported branch. Test patches in a staging environment first, especially if you have custom template configurations using the {lang} placeholder. Review your template directory configuration after patching to ensure the vulnerability vector has been removed.
Detection guidance
Monitor Nextcloud logs for unusual file copy or file write operations originating from non-admin users, particularly targeting directories outside their user-home scope. Look for path traversal patterns (../, ..\) in Nextcloud API logs or audit trails. If template directory configuration contains {lang}, prioritize your upgrade timeline. Consider implementing file integrity monitoring (FIM) on critical Nextcloud data directories to detect unauthorized file modifications or copies.
Why prioritize this
While this is a medium-severity issue requiring elevated user access, the potential for unauthorized file disclosure and the scope of affected versions (multiple supported branches) warrant timely remediation. Organizations with permissive Unix file permissions or multi-tenant Nextcloud instances should prioritize patching to limit insider-threat risks. The absence of KEV status and public exploits suggests this is not an immediate emergency, but should be included in the current patch cycle.
Risk score, explained
CVSS 4.4 (Medium) reflects a vulnerability requiring authentication (PR:H), high attack complexity due to Unix permission dependencies (AC:H), with confidentiality impact (C:H) but no integrity or availability impact under the standard attack scenario. The score appropriately weights this as a medium-priority issue requiring action but not emergency response.
Frequently asked questions
Can this vulnerability be exploited without a valid Nextcloud user account?
No. The vulnerability requires an authenticated user within Nextcloud. An attacker would need valid credentials to an existing user account (or be a non-admin user with directory write permissions) to attempt exploitation. Remote, unauthenticated exploitation is not possible.
Does this affect Nextcloud if I do not use {lang} in my template directory configuration?
The vulnerability is specifically triggered when the {lang} placeholder is used in the template directory config value. If your Nextcloud instance does not use this placeholder, your exposure is reduced, but you should still upgrade to the recommended versions to ensure comprehensive security coverage.
What is the difference between open-source and Enterprise Server patch versions?
Nextcloud Enterprise Server offers extended support across multiple release branches (versions 28–32), whereas open-source Server focuses on current major versions (31, 32). Enterprise customers have backported patches for older branches. Verify your deployment type and version to apply the correct patch.
Is this vulnerability currently being exploited in the wild?
No. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog, and no active public exploits have been reported. However, you should still prioritize patching to prevent potential exploitation by insiders or motivated attackers with Nextcloud access.
This analysis is provided for informational purposes and does not constitute security advice. Organizations must independently verify all patch versions, compatibility, and testing requirements against official Nextcloud vendor advisories and their own environment. The CVSS score and KEV status reflect data current as of the provided source; verify against the National Vulnerability Database (NVD) and Nextcloud security announcements for the latest information. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-10213MEDIUMAstrBot 4.23.6 Path Traversal in API Endpoint