CVE-2026-45285: Nextcloud Hidden Public Link Vulnerability – Unauthorized Data Access via Automatic External Sharing
Nextcloud inadvertently creates hidden public links when users share folders or files with Teams that include external members (people invited via email without Nextcloud accounts). These links remain invisible in the sharing interface but are emailed to the external recipient and grant full permissions—read, write, delete, reshare, download. An attacker intercepting or receiving one of these links gains unfettered access to all shared data without authentication, and the folder owner cannot see or revoke the link through normal UI controls. Versions 32.0.0–32.0.8 and 33.0.0–33.0.2 are vulnerable; patches are available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team’s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an authorization and visibility gap in Nextcloud's Team sharing workflow. When a folder or file is shared with a Team containing an external member, the system automatically generates a public share link to provision access for that non-account holder. However, this link is not indexed or displayed in the share management section of the folder, creating an asymmetry between intended permissions and operational visibility. The link inherits the Team's access level (read, write, delete, reshare, download) and is transmitted via email. An attacker with access to the link (through interception, compromise of the recipient's email, or social engineering) can exploit it for direct, unauthenticated access to the shared resource. The folder owner has no UI mechanism to discover or revoke the link, preventing normal remediation workflows. The flaw maps to CWE-862 (Missing Authorization).
Business impact
Organizations using Nextcloud to manage sensitive team collaboration face elevated risk of unintended data disclosure and unauthorized modification. Shared folders believed to be restricted to Team members may actually be accessible via hidden public links. Attackers gaining possession of these links can exfiltrate, alter, or delete data—including confidential documents, customer records, or project files—without triggering audit trails visible to the folder owner. For regulated industries (healthcare, finance, legal), this creates compliance and breach notification obligations. The inability to revoke the link means containment must occur outside Nextcloud (e.g., disabling the email account or rotating credentials). Organizations that have shared sensitive materials with external Teams since 32.0.0 should assume links may have been leaked and take inventory of exposed content.
Affected systems
Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2 are vulnerable. This affects both on-premises and cloud-hosted Nextcloud deployments running these versions. Vulnerability is present only when (1) a folder or file is shared with a Team and (2) that Team includes at least one external member invited via email. Standard peer-to-peer shares or Team shares without external members are not impacted. End-users with Nextcloud accounts cannot exploit the vulnerability themselves; risk is limited to attackers who gain access to the auto-generated link.
Exploitability
The CVSS score of 6.4 (MEDIUM) reflects a moderate risk profile. Exploitation requires network access and a valid Nextcloud user account (PR:L) to initiate a Team share with an external member; it also requires user interaction (UI:R) to complete the sharing action. However, once the link is generated and emailed, any actor with access to that link—whether through email interception, phishing, or direct recipient compromise—can exploit it without further authentication. The barrier to obtaining the link is social engineering or email compromise rather than cryptographic breakthrough, making real-world exploitation plausible in targeted scenarios. The link itself is a valid bearer token to the shared resource. CVE is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no widespread in-the-wild exploitation at publication.
Remediation
Upgrade Nextcloud Server to version 32.0.9 or later (if running 32.x) or to version 33.0.3 or later (if running 33.x). After patching, review your Team sharing history. Any folders or files shared with Teams containing external members since upgrading to 32.0.0 should be considered potentially exposed via hidden links. Rotate or invalidate sensitive data in those folders if possible. Going forward, avoid sharing highly sensitive materials with Teams that include external members via the standard Team share mechanism; instead, consider direct external sharing using explicit public links or alternative access controls. Monitor Nextcloud access logs for unusual downloads or modifications by external IPs. For immediate mitigation on unpatched systems, disable or remove external members from Teams that share sensitive data, or use Nextcloud's permission controls to restrict the permissions granted to Teams before sharing sensitive resources.
Patch guidance
Nextcloud has released patches in version 32.0.9 and 33.0.3. Organizations should prioritize updating to these versions as soon as possible. If you are running Nextcloud Server 32.x, upgrade to 32.0.9 or later. If you are running 33.x, upgrade to 33.0.3 or later. Earlier major versions (31.x and below) are not affected and do not require patching for this issue. Test patches in a staging environment before deployment to verify compatibility with your configuration and third-party integrations. Nextcloud provides official upgrade documentation and changelogs; verify patch availability against the vendor's release announcements and your deployment channel (community edition, enterprise, etc.).
Detection guidance
In Nextcloud's sharing database and logs, look for public links created automatically during Team share operations that do not appear in the UI sharing section. Use Nextcloud's audit logs to identify (1) Team shares created with external members and (2) subsequent public link generation events that the folder owner did not explicitly create. If audit logging is enabled, search for share creation events followed by public link tokens. Organizations can also query the shares table in Nextcloud's database to identify orphaned public links linked to Team shares. On the network side, monitor for access to Nextcloud public link URLs from IPs that are not known Team members or the invited external address, which could indicate link compromise or unauthorized use. Implement endpoint detection rules that flag unusual bulk downloads of files from Nextcloud public links lacking prior authenticated sessions.
Why prioritize this
Although CVSS is scored MEDIUM, this vulnerability warrants prompt remediation due to (1) the stealth of the hidden link—folder owners are unaware of exposure and cannot self-remediate through the UI, (2) the broad permissions inherited from the Team (read, write, delete, reshare, download), (3) the availability of a patch, and (4) the likelihood that organizations using Team sharing are managing collaborative data that includes confidential or sensitive materials. The lack of visibility is the key risk multiplier: an unpatched system may be actively leaking data without the administrator's knowledge. Prioritize patching if you use Nextcloud Team sharing with external members or if external collaboration is common in your organization.
Risk score, explained
CVSS 6.4 reflects (1) network-accessible attack vector (AV:N), (2) high attack complexity due to the need for a valid user account and user interaction to trigger the share (AC:H, UI:R), (3) low privilege requirement (PR:L), (4) high confidentiality and integrity impact (C:H, I:H) once a link is obtained, and (5) no availability impact (A:N). The score does not fully account for the covert nature of the link creation and the owner's inability to revoke it, which are not directly captured in CVSS but elevate practical risk. The actual exploitability depends on how widely external Team sharing is used and whether email or bearer tokens are intercepted. In environments with mature email security and limited external collaboration, risk may trend lower; in organizations with frequent external Team sharing, risk is elevated.
Frequently asked questions
How do I know if our Nextcloud instance has been affected?
Check your Nextcloud version in Settings > Administration > Overview. If you are running version 32.0.0–32.0.8 or 33.0.0–33.0.2, you are vulnerable. Review your Team sharing history: any folder or file shared with a Team containing external members may have had a hidden public link created. You can query your database or examine Nextcloud audit logs (if enabled) to search for public link creation events during Team share operations. If in doubt, assume affected and upgrade to patch immediately.
Do I need to worry if external members were never added to our Teams?
No. The vulnerability only manifests when a folder or file is shared with a Team that includes an external member (someone invited via email without a Nextcloud account). If your Teams consist solely of local Nextcloud users, the automatic public link generation does not occur, and you are not vulnerable. However, you should still upgrade for other security improvements and future protections.
Can the folder owner see or revoke the hidden public link?
No. This is the core issue. The public link is generated automatically and not displayed in the normal sharing interface. There is no UI control for the owner to discover, manage, or revoke it. The owner must either delete the entire Team share (revoking all access, including legitimate Team members) or remove external members from the Team. After patching, this behavior is corrected, and links are properly managed through the sharing interface.
If we upgrade to 33.0.3, will existing hidden links be automatically removed?
Patching fixes the vulnerability mechanism going forward—new shares will not generate hidden links. However, the patch does not retroactively revoke or delete links that were already created and sent to external members before the upgrade. After patching, conduct an audit of past Team shares, and consider reverifying or re-sending explicit share links to external members through a secure channel. If you shared sensitive data with Teams containing external members, treat the data as potentially exposed and implement compensating controls (e.g., data access review, credential rotation, or re-sharing with updated permissions).
This analysis is provided for informational and educational purposes. While we have endeavored to ensure accuracy, vulnerability details may evolve as vendors and researchers publish additional findings. Organizations should verify all technical details, patch version numbers, and remediation steps against official Nextcloud advisories and release notes. This vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog. No public exploit code or proof-of-concept has been widely distributed at the time of publication. The risk score and prioritization reflect a general threat posture; your organization's actual risk may vary based on architecture, access controls, and data sensitivity. Always test patches in a non-production environment before deployment. For latest updates, consult the Nextcloud Security Advisory documentation and your vendor support channel. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10855MEDIUMMISP Event Template Authorization Flaw – Patch Guidance
- CVE-2026-27351MEDIUMMissing Authorization in Sekander Badsha Crew HRM—Patch Guidance & Risk Analysis