CVE-2026-45283: Nextcloud File Lock Authorization Bypass
Nextcloud Server contains a file access control vulnerability in its files_lock app that allows authenticated users to manipulate file locks belonging to other users. By knowing the WebDAV paths of files owned by colleagues, an attacker could lock or unlock those files without authorization. Additionally, the vulnerability exposes lock tokens in error messages, enabling attackers to remove locks that other users' applications have legitimately placed. This requires an attacker to be a registered user with valid credentials, but does not require special privileges. The issue affects Nextcloud Server versions 32.0.0 through 32.0.1 and 33.0.0 through 33.0.0, with enterprise deployments on version 31 also at risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-287
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The files_lock app in Nextcloud Server fails to enforce proper ownership validation on WebDAV lock and unlock operations (CWE-287: Improper Authentication). When processing DAV LOCK and UNLOCK requests, the application does not verify that the authenticated user owns the target file before granting or revoking lock status. An attacker can abuse this by constructing direct requests to absolute WebDAV paths of other users' files. Furthermore, error responses from failed lock operations inadvertently disclose lock tokens, which can be reused to bypass token-based lock protections that client applications rely on. This compounds the authorization flaw by enabling token theft and reuse.
Business impact
This vulnerability creates a denial-of-service and collaboration disruption vector for organizations using Nextcloud as a shared workspace. Malicious or compromised user accounts can systematically lock files belonging to other team members, blocking access and preventing edits. In regulated environments or those handling sensitive project data, this could impede critical workflows and create audit trail complications. The token disclosure aspect is particularly concerning in scenarios where lock tokens serve as a security boundary between different applications or integrations accessing the same file store. Teams relying on file locking for concurrent editing safeguards could experience loss of intended protections.
Affected systems
Nextcloud Server versions 32.0.0 to 32.0.1 and 33.0.0 to 33.0.0 are affected. Nextcloud Enterprise Server versions 31.0.x (prior to 31.0.14.4) are also vulnerable. Deployments using community editions on versions 30 and earlier, or 32.0.2+, 33.0.1+, and 31.0.14.4+ (enterprise) are not affected. Organizations should verify their installed Nextcloud version via the admin panel or command-line query. Instances with the files_lock app disabled are not exploitable, though this is a core app in standard installations.
Exploitability
Exploitation requires valid Nextcloud user credentials and network access to the WebDAV endpoint—a low bar in most internal deployments. An attacker does not need to be an administrator, file owner, or to have special permissions; ordinary user accounts are sufficient. The attack surface is the standard WebDAV interface available to any authenticated user. Lock token disclosure is passive and may occur during routine error handling when clients retry failed lock requests. The CVSS score of 6.3 (Medium) reflects the requirement for authentication and the limited scope of impact per lock operation, though widespread targeting of files could cause significant operational disruption.
Remediation
Upgrade Nextcloud Server to version 32.0.2 or 33.0.1 immediately. For Nextcloud Enterprise Server deployments, upgrade to 31.0.14.4, 32.0.2, or 33.0.1. These releases patch the ownership validation logic in the files_lock app and suppress lock token disclosure in error responses. Administrators should plan maintenance windows to minimize disruption, as upgrades typically require brief service interruption. After upgrade, verify that the files_lock app is enabled and functioning correctly by testing lock/unlock operations on files with multiple users.
Patch guidance
Nextcloud provides security updates through its standard release channels. Administrators should review the official Nextcloud security advisory and release notes for their version line (31, 32, or 33) to confirm the exact patch availability and any breaking changes. Update mechanisms vary depending on whether your instance uses the built-in updater, a package manager, or manual deployment. Community edition instances should prioritize upgrading to 32.0.2 or 33.0.1; enterprise customers with support contracts should coordinate with Nextcloud for 31.0.14.4 or newer. Test patches in a non-production environment first to validate compatibility with any custom apps or integrations.
Detection guidance
Monitor WebDAV access logs for unusual LOCK or UNLOCK requests originating from users targeting files outside their own directories. Successful exploitation may show patterns of authenticated requests to other users' absolute WebDAV paths (/remote.php/dav/files/otheruser/...). Review application logs for repeated failed lock attempts followed by successful unlock operations, which could indicate token harvesting from error responses. Nextcloud audit logs may show lock state changes that do not correlate with user actions through the web interface, suggesting direct DAV manipulation. Endpoint protection and SIEM tools configured to track file system permission anomalies should flag unexpected lock state modifications.
Why prioritize this
This vulnerability merits prompt attention because it directly undermines file-level access control and collaboration safeguards that users rely on daily. While it requires authentication, the ease of exploitation and the potential for widespread workflow disruption across all users justifies prioritization ahead of lower-impact issues. The token disclosure compound risk also creates a pathway for more persistent attacks if lock tokens are cached or logged by third-party systems. For organizations with large concurrent editing workloads or strict data governance, this is a high operational priority.
Risk score, explained
The CVSS 3.1 score of 6.3 (Medium) reflects: Attack Vector Network (all authenticated users can exploit remotely), Attack Complexity Low (standard WebDAV operations), Privileges Required Low (ordinary user sufficient), User Interaction None (automated exploitation possible), and Scope Unchanged (impact limited to file locks on the same system). Confidentiality, Integrity, and Availability impacts are each rated Low because a single lock operation affects only one file and does not directly expose data or destroy information, though cumulative exploitation can create denial-of-service conditions. Organizations with multi-user collaboration as a core function may reasonably elevate internal risk ratings above the CVSS baseline.
Frequently asked questions
Can this vulnerability be exploited without a valid Nextcloud user account?
No. Exploitation requires valid credentials and network access to the Nextcloud WebDAV endpoint. Unauthenticated attackers cannot perform lock or unlock operations. However, any legitimate user—even those with minimal permissions—can exploit the flaw against other users' files.
Does disabling the files_lock app prevent the vulnerability?
Yes. If your workflow does not depend on WebDAV-level file locking, disabling the files_lock app through the Nextcloud admin console eliminates the vulnerability. However, this may break client applications that rely on lock tokens for concurrent editing safeguards.
What is the practical impact of lock token disclosure?
Lock tokens are meant to tie a lock to a specific client session. If disclosed in error messages, an attacker can reuse that token to unlock files even after the legitimate user's session ends. This is most dangerous in automated workflows where locks are long-lived or tokens are logged to accessible locations.
Will upgrading affect my existing files or user data?
Patched versions only change the validation logic and error handling for lock operations. Existing files and user data are not modified. However, any locks placed by users before the upgrade may remain in place afterward; administrators should advise users to refresh their client applications after upgrade to ensure locks are properly re-established if needed.
This analysis is based on the CVE record and vendor advisory available as of the publication date. Vulnerability details, patch availability, and affected versions are subject to change; always verify against the official Nextcloud security advisory and release notes before planning remediation. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and accepts no liability for damages resulting from its use. Security decisions should incorporate threat modeling, asset inventory, and internal risk tolerance. This document does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45690MEDIUMNextcloud 2FA Bypass via Session Token Replay
- CVE-2026-45691MEDIUMNextcloud 2FA Bypass via Session Cookie Reuse on DAV Endpoints
- CVE-2023-5502MEDIUMArista EOS 802.1x Authentication Bypass Vulnerability
- CVE-2026-10283MEDIUMBottelet DaybydayCRM Authentication Bypass in Settings Handler
- CVE-2026-10548MEDIUMImproper Authentication in NousResearch hermes-agent Credential Synchronization
- CVE-2026-45153MEDIUMNextcloud Android Files App PIN Bypass via Back Button
- CVE-2026-45289MEDIUMCloudburstMC Protocol Authentication Validation Bypass (MEDIUM)
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk