CVE-2026-45282: Nextcloud Authentication Bypass on Link Share Attachments
Nextcloud Server contains a flaw that allows an authenticated user to download file attachments from password-protected or restricted link shares if they know the share token and have access to a document ID. This bypasses the intended security controls around shared links. The attacker can only extract attached files, not the shared documents themselves, and the vulnerability requires prior authentication and knowledge of specific document identifiers.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45282 is an improper access control vulnerability (CWE-284) in Nextcloud Server affecting versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. The vulnerability stems from insufficient authorization checks when accessing attachments through link-share endpoints. An authenticated attacker can construct requests using a known share token combined with a document ID they own (or guess, in the case of folder shares) to retrieve attachment content that should be restricted by password protection or download limitations. The flaw does not grant access to the shared files or folders themselves, only their associated attachments.
Business impact
Organizations using Nextcloud for secure file sharing face a moderate risk of data exposure through link shares. Confidential documents shared with password protection or download restrictions may have their attachments accessed by unauthorized parties who gain knowledge of the share token. This is particularly concerning for regulated industries where link shares are used to distribute sensitive materials with granular access controls. The impact is limited to attachment extraction, reducing but not eliminating risk for typical document-sharing workflows.
Affected systems
Nextcloud Server versions 32.0.0 to 32.0.8 and 33.0.0 to 33.0.2 are vulnerable. Nextcloud Enterprise Server versions prior to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, and 27.1.11.5 require patching. Community deployments running affected versions are exposed; enterprise customers have multiple branch updates available depending on their deployed version.
Exploitability
The vulnerability requires authentication to Nextcloud, limiting the attack surface to users with valid accounts. However, exploitation is straightforward once inside: an attacker needs only the share token (often shared via link) and a document ID. For direct file shares, the attacker must own the document; for folder shares, guessing or discovering a document ID within the shared folder is the barrier to entry. No user interaction is required beyond initial authentication. The CVSS 3.1 score of 6.5 reflects the authentication requirement offset by the ease of exploitation and high confidentiality impact.
Remediation
Upgrade Nextcloud Server to version 32.0.9 or 33.0.3 or later. Enterprise customers should verify their current branch and upgrade to the appropriate patched version: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, or 27.1.11.5. Verify patch application by checking the version string in the administration interface or via API.
Patch guidance
Community Nextcloud Server users: update to 32.0.9 or 33.0.3. Enterprise users: identify your current major version (33, 32, 31, 30, 29, 28, or 27.1) and upgrade to the corresponding patched release listed in the advisory. Nextcloud typically supports multiple major versions with security backports. Test patches in a staging environment before production deployment, particularly if custom extensions are in use, as attachment handling may be touched by third-party code.
Detection guidance
Monitor Nextcloud access logs for authenticated users accessing attachment endpoints with share tokens that do not correspond to shares they created or explicitly administer. Look for patterns of attachment retrieval from link-share endpoints, particularly where the requesting user ID differs from the share creator. Enable debug logging on document and attachment access APIs if available. Implement alerting on repeated 401/403 responses followed by successful 200 responses to attachment endpoints, which may indicate token enumeration attempts.
Why prioritize this
Although the vulnerability requires prior authentication and is limited to attachment extraction, the relative ease of exploitation and the high confidentiality impact warrant prompt patching. Organizations relying on link-share password protection for compliance or regulatory purposes should treat this as a priority update. The availability of patches across multiple version branches reduces upgrade friction.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects a combination of factors: authentication is required (PR:L), reducing accessibility; the attack is network-based with no complexity (AV:N, AC:L); the confidentiality impact is high (C:H) as attachment content is exposed; and integrity and availability are not affected (I:N, A:N). The score appropriately captures a moderate but meaningful risk suitable for prioritized patching within normal maintenance windows.
Frequently asked questions
Can an attacker without a Nextcloud account exploit this vulnerability?
No. The vulnerability requires an authenticated Nextcloud user account. An attacker must first gain or possess valid credentials to the Nextcloud instance.
Does this vulnerability allow access to the shared file or folder itself?
No. The flaw is specific to attachments associated with shared files or folders. The shared documents themselves remain protected by the share restrictions.
What is the primary difference in exploit difficulty between direct file shares and folder shares?
For direct file shares, the attacker must own or have created the document. For folder shares, the attacker only needs to know or guess a document ID of a file contained within the shared folder, making it a lower barrier in some scenarios.
Are there workarounds if I cannot patch immediately?
Limit the distribution of link-share tokens to trusted parties and monitor access logs for suspicious patterns. However, patching is the definitive remediation and should not be delayed long-term.
This analysis is based on the published CVE description and vendor advisory as of the modification date. Exploit code or weaponized proof-of-concept information is not included. Organizations should verify patch availability and version applicability directly with Nextcloud before deployment. Security controls and access patterns vary by deployment; this assessment should be adapted to your specific Nextcloud configuration and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45284MEDIUMNextcloud OIDC Authentication Bypass via Deleted LDAP Users
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy