CVE-2026-45543: Nextcloud Forms Removed Collaborator Retains File Read Access
A flaw in Nextcloud Forms allows collaborators who have been removed from a form to retain unauthorized read access to uploaded respondent files. This affects forms running Nextcloud versions 4.3.0 through 5.2.6. If a user previously had access to view form results, removing them as a collaborator does not fully revoke their ability to read uploaded files associated with that form. The vulnerability is limited to files uploaded within forms where the removed user previously held results-viewing permissions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-552
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45543 is an authorization bypass vulnerability in Nextcloud Forms caused by improper access control cleanup when collaborators are removed. The flaw stems from inadequate permission revocation for uploaded respondent files in the form context. When a collaborator with results access is removed, the access control list (ACL) for previously uploaded files is not properly updated, leaving file read permissions intact. This affects versions 4.3.0 through 5.2.6 and is classified as CWE-552 (Files or Directories Accessible to External Parties). The CVSS 3.1 score of 5.3 reflects low attack complexity and network accessibility with limited confidentiality impact.
Business impact
Organizations using Nextcloud Forms to collect sensitive survey or form data face data leakage risk. Respondents who submit files through forms may have their uploads exposed to former collaborators, potentially compromising survey participants' privacy and sensitive information. The impact is narrowed to files within specific forms where the removed user had prior access, but in multi-user survey deployments, this creates compliance and trust concerns—particularly if forms collect personally identifiable information, medical data, or other regulated content. Incident response teams should audit form access logs to identify and notify affected respondents.
Affected systems
Nextcloud Forms versions 4.3.0 through 5.2.6 are affected. This includes all point releases within that range on both Nextcloud Server community and enterprise deployments. Nextcloud Forms is a standard component for survey and questionnaire collection within Nextcloud environments. Organizations running earlier versions (prior to 4.3.0) and version 5.2.7 and later are not affected by this specific issue.
Exploitability
Exploitability is straightforward for threat actors with network access. The vulnerability requires no authentication to discover (network accessible) and no user interaction. An attacker who was previously granted collaborator access to a form with results permissions can, after removal, continue accessing uploaded respondent files via direct API or file access methods. The low attack complexity and lack of privilege escalation requirements mean any removed collaborator with lingering knowledge of file identifiers or URLs can exploit this. However, real-world impact depends on whether organizations actively remove inactive or malicious collaborators and whether removed users retain session tokens or cached credentials.
Remediation
Upgrade Nextcloud Forms to version 5.2.7 or later. This patch version includes proper access control cleanup to revoke file read permissions when collaborators are removed from forms. Organizations should prioritize this upgrade if they use forms to collect sensitive respondent data. After upgrading, review recent form collaborator removals and consider auditing file access logs for unauthorized read attempts during the vulnerable window.
Patch guidance
Apply Nextcloud Forms version 5.2.7 or later. Verify with your Nextcloud vendor advisory that your deployment path and dependencies are covered by this version. If running Nextcloud as a containerized deployment, ensure the container image is rebuilt with the patched version and redeployed. If using a managed Nextcloud service (Nextcloud Enterprise or cloud provider hosting), contact your provider to confirm patch rollout timing. Test the patch in a staging environment with active form workflows to ensure no disruption to respondent uploads or results access for current collaborators.
Detection guidance
Monitor Nextcloud Forms access logs for file read operations by users who have been removed from specific forms. Query the audit trail for 'remove collaborator' events followed by subsequent file access from the removed user's account or IP address. Implement alerting on unauthorized file reads within the /forms endpoint namespace. Additionally, review form permission tables in the Nextcloud database to identify orphaned read permissions—files with ACLs referencing removed collaborators. If forensic investigation is needed, correlate removed collaborator timestamps with suspicious file download activity in web access logs. Tools like osquery or Nextcloud's built-in audit features can help surface these patterns.
Why prioritize this
While the CVSS score of 5.3 is MEDIUM severity, prioritization depends on data sensitivity and form usage patterns. Organizations collecting personally identifiable information, health data, or financial details through Nextcloud Forms should treat this as HIGH priority due to confidentiality and regulatory exposure. Organizations using forms for non-sensitive internal surveys may defer this to standard quarterly patching. However, given the low attack complexity and the fact that former employees or disgruntled contractors could easily exploit this, security teams should patch within 30–60 days. The vulnerability is not publicly exploited (not in KEV catalog), reducing active threat pressure but not eliminating insider risk.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects: (1) Network-accessible attack vector with no authentication required; (2) low attack complexity (no special conditions); (3) limited impact scope (unauthorized read only, confined to uploaded files in specific forms); and (4) no integrity or availability impact. The score appropriately captures that this is a confidentiality leak with straightforward exploitability, but bounded in scope and not enabling lateral movement or system compromise. Organizations should consider context multipliers: if form respondents are sensitive populations or if forms are central to compliance workflows, internal risk rating should exceed the base CVSS score.
Frequently asked questions
Who can exploit this vulnerability?
Any user who was previously granted collaborator access with results-viewing permissions to a form can exploit this after being removed. This includes former employees, contractors, or external collaborators. However, the attacker must have prior knowledge of the form or its file structure, or be able to enumerate file identifiers.
Does upgrading to 5.2.7 retroactively revoke unauthorized access?
The patch ensures that future removals trigger proper access cleanup. However, it does not automatically revoke permissions granted to removed collaborators under the vulnerable versions. After patching, you should manually audit and revoke any orphaned permissions from previously removed users, or reset form permissions entirely and re-grant them.
Are there any workarounds before patching?
Before upgrading, manually review form collaborators and remove inactive or untrusted users immediately. Monitor file access logs for suspicious activity from recently removed collaborators. If a form contains highly sensitive data, consider temporarily restricting results access or moving the form content to a patched instance. However, these are interim measures; patching is the definitive fix.
Does this vulnerability affect other Nextcloud apps like Calendar or Contacts?
No, this vulnerability is specific to Nextcloud Forms and the authorization control for uploaded respondent files within the forms context. Other Nextcloud apps use different permission models and are not affected by this issue.
This analysis is provided for informational purposes and is current as of the published date. Readers should verify patch availability and applicability against official Nextcloud Security advisories and their specific deployment configuration. No guarantee is made regarding completeness or accuracy of version information; always consult vendor release notes before patching. SEC.co and its analysts assume no liability for decisions made on the basis of this advisory. Organizations should conduct their own risk assessment based on their data sensitivity and threat environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40425MEDIUMMacGregor VDR Admin File Access Vulnerability – MEDIUM Risk
- CVE-2026-45275MEDIUMNextcloud Approval App Privilege Escalation & Authorization Bypass
- CVE-2026-45279MEDIUMNextcloud Server Path Traversal Allows Unauthorized File Copy
- CVE-2026-45282MEDIUMNextcloud Authentication Bypass on Link Share Attachments
- CVE-2026-45283MEDIUMNextcloud File Lock Authorization Bypass
- CVE-2026-45284MEDIUMNextcloud OIDC Authentication Bypass via Deleted LDAP Users
- CVE-2026-45285MEDIUMNextcloud Hidden Public Link Vulnerability – Unauthorized Data Access via Automatic External Sharing
- CVE-2026-45286MEDIUMNextcloud Calendar User Enumeration via Attendee Endpoint