CVE-2026-45284: Nextcloud OIDC Authentication Bypass via Deleted LDAP Users
Nextcloud's OIDC (OpenID Connect) user authentication module contains a flaw that allows deleted LDAP users to continue authenticating to the system. When an organization uses both LDAP and OIDC for user management, deletion of a user from LDAP does not properly prevent that user from logging in via OIDC. This creates an unintended persistence of access for users who should no longer have system privileges. The issue affects Nextcloud versions 1.3.6 through 8.3.x and has been resolved in version 8.4.0.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.6 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an improper access control check in the User OIDC application. When LDAP is configured as an identity provider alongside OIDC, the system fails to validate whether a user still exists in LDAP before permitting OIDC authentication. Specifically, after a user account is removed from the LDAP directory, the OIDC authentication path does not cross-reference the user's current LDAP status. This allows an attacker or former employee with knowledge of OIDC credentials to bypass the intended access revocation and maintain session access. The flaw is classified as an improper access control issue (CWE-284), indicating the authentication logic does not sufficiently enforce authorization boundaries between identity sources.
Business impact
This vulnerability creates a privileged access retention risk. In hybrid identity environments where LDAP serves as the authoritative user repository and OIDC provides federated authentication, the inability to fully revoke access upon user deletion undermines offboarding procedures. Former employees, contractors, or disabled accounts could retain unauthorized access to Nextcloud instances and sensitive collaborative content. Organizations relying on prompt access revocation for compliance, data protection, or incident response are directly impacted. The severity is moderated by the requirement for local privilege level and user interaction, but the persistence of access for deleted users represents a meaningful security degradation.
Affected systems
The User OIDC application in Nextcloud versions 1.3.6 through 8.3.x is affected. Organizations running Nextcloud with both LDAP and OIDC identity providers active are at risk. The vulnerability does not affect Nextcloud instances using only OIDC or only LDAP authentication without the hybrid configuration. Nextcloud version 8.4.0 and later include the corrective patch.
Exploitability
Exploitation requires an authenticated user account and relies on user interaction, as indicated by the CVSS vector's inclusion of UI:R and PR:L factors. An attacker would need to either be a current or former user with OIDC credentials or credentials acquired through other means. The complexity is considered high (AC:H), suggesting that specific conditions or configurations must be present for successful exploitation. This is not a trivial remote exploit requiring no privileges; it represents a mishandling of the access revocation process rather than a remotely triggerable vulnerability. The attack surface is limited to organizations explicitly using both LDAP and OIDC simultaneously.
Remediation
Upgrade Nextcloud to version 8.4.0 or later to apply the patch that restores proper authorization checks between LDAP and OIDC. Organizations unable to upgrade immediately should conduct an access audit to identify and manually disable OIDC accounts corresponding to deleted LDAP users. If feasible, temporarily disabling OIDC authentication in favor of LDAP-only authentication can reduce the attack window during transition. Additionally, implementing network-level access controls or geographic IP restrictions for Nextcloud can provide defense-in-depth until patching is complete.
Patch guidance
Apply Nextcloud version 8.4.0 or later. The patch corrects the improper access control check to ensure that OIDC authentication properly validates the user's current status in LDAP. Verify the patch version against the official Nextcloud advisory and release notes. If running a self-hosted Nextcloud instance, coordinate patching with your deployment schedule to minimize downtime. For organizations using Nextcloud cloud services, confirm with your provider that the environment has been updated.
Detection guidance
Monitor authentication logs for OIDC login attempts from users who have been deleted from LDAP. Implement or review SIEM queries that cross-reference OIDC login events with LDAP deletion timestamps. Check for login activity from disabled or offboarded user accounts—this is the primary indicator of exploitation. Additionally, review OIDC session logs for unusual access patterns after known user offboarding dates. Organizations with detailed identity and access management (IAM) logging can correlate LDAP deletion records with subsequent OIDC authentication events to identify potential exploitation.
Why prioritize this
Although the CVSS score of 4.6 (Medium) reflects the requirement for authentication and user interaction, the security control bypass—specifically the failure to revoke access upon user deletion—merits immediate attention. This vulnerability undermines a critical business process: offboarding. Organizations reliant on rapid access revocation for data security, regulatory compliance (SOX, HIPAA, GDPR), or incident containment should prioritize patching. The issue becomes more urgent in environments with high user churn, frequent contractor engagements, or security-sensitive data. However, this is not a critical infrastructure vulnerability and can be addressed within standard change management windows if interim detection and monitoring controls are established.
Risk score, explained
The CVSS 3.1 score of 4.6 reflects a Medium severity vulnerability. The Network vector (AV:N) accounts for remote accessibility, but the requirement for local authentication privilege (PR:L), high complexity (AC:H), and user interaction (UI:R) collectively reduce the score. The impact to Confidentiality, Integrity, and Availability is each rated Low (C:L, I:L, A:L), as a deleted user's access to data represents an unauthorized view and potential modification but does not cause system outage or widespread compromise. The score appropriately captures that this is not a remotely exploitable unauthenticated vulnerability, but rather a mishandled authorization check in a hybrid identity scenario.
Frequently asked questions
Does this vulnerability affect Nextcloud instances using only LDAP or only OIDC?
No. The vulnerability specifically occurs when both LDAP and OIDC are configured together. Nextcloud deployments using a single authentication method are not affected by this issue.
Can we detect if this vulnerability has been exploited in our environment?
Yes. Search your authentication and application logs for OIDC login attempts from user accounts that were deleted from your LDAP directory. A successful login from a deleted user account after the deletion date is a strong indicator of potential exploitation. Correlating LDAP deletion events with OIDC session logs will reveal any unauthorized access.
Is there a workaround if we cannot patch immediately?
Temporarily disabling OIDC authentication and relying solely on LDAP until you can deploy version 8.4.0 will prevent this specific vulnerability from being exploited. Alternatively, manually audit and remove OIDC credentials for all deleted LDAP users. Both approaches are interim measures and should be combined with enhanced monitoring until the patch is applied.
What is the difference between this vulnerability and a standard account deletion failure?
This is more than a simple deletion bug. It represents a failure in access control enforcement between two identity systems. When LDAP (the authoritative source) deletes a user, the OIDC authentication layer should respect that decision, but it does not. This creates a scenario where the security boundary between identity sources is compromised.
This analysis is provided for informational and educational purposes. The information is based on the vulnerability disclosure and publicly available vendor statements as of the publication date. Organizations should verify all patch versions and compatibility against official Nextcloud advisories and release notes before deployment. The absence of exploitation in the wild does not indicate a vulnerability is not exploitable; organizations should treat this vulnerability according to their own risk tolerance, data sensitivity, and regulatory requirements. This analysis does not constitute professional security advice; consult with your security team and vendor support for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45282MEDIUMNextcloud Authentication Bypass on Link Share Attachments
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy