MEDIUM 4.3

CVE-2026-45544: Nextcloud Tables Filter Criteria Information Disclosure

Nextcloud Tables, a collaborative document and data management component, contains an information disclosure vulnerability affecting versions 0.8.0 through 1.0.3. The issue allows users with read-only access to view filter criteria—potentially including sensitive column names, field definitions, or search logic—that should have been restricted to higher-privilege users. This represents a low-severity data exposure that could leak operational details about table structure and content filtering strategies. The vulnerability has been resolved in Nextcloud Tables versions 1.0.4 and 2.0.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-1230
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper access control enforcement in Nextcloud Tables' view filter mechanism. When constructing or displaying filtered views, the application fails to validate that read-only users should not have visibility into the filter criteria themselves—only the filtered results. This is classified as a privilege escalation or exposure of restricted information (CWE-1230: Improper Restriction of Rendered UI Layers or Frames). The CVSS 3.1 score of 4.3 (MEDIUM) reflects low-complexity exploitation requiring only valid authentication (PR:L) with network accessibility and a low confidentiality impact, with no integrity or availability concerns (C:L/I:N/A:N).

Business impact

This leak of filter criteria can expose internal table schemas, metadata, and business logic that organizations may consider sensitive. If filter criteria reference specific fields, data patterns, or naming conventions, attackers with read-only access gain reconnaissance information that could inform social engineering, targeted lateral movement, or follow-on attacks. For regulated environments (healthcare, finance, legal), unintended exposure of query logic or field definitions may create compliance audit findings. The impact is primarily informational rather than destructive; no data modification or service disruption occurs.

Affected systems

Nextcloud Tables versions 0.8.0 through 1.0.3 are vulnerable. Nextcloud Tables 1.0.4 and 2.0.0 and later incorporate the fix. Users should identify whether they are running any affected version within that range. Note that Nextcloud Tables is a component of the broader Nextcloud platform; verify your installation includes Tables and confirm its specific version number.

Exploitability

Exploitation requires valid Nextcloud credentials with at least read-only access to a table containing filtered views. No authentication bypass, user interaction, or complex exploitation chain is necessary. An attacker with legitimate read-only credentials can trivially view filter metadata by accessing or inspecting view definitions. The low CVSS environmental multiplier (AC:L, no special conditions required) means this is straightforward to reproduce in any vulnerable deployment with read-only users present. However, the real-world risk depends on whether your organization grants read-only table access to untrusted or external users.

Remediation

Upgrade Nextcloud Tables to version 1.0.4 or later (preferably 2.0.0 or newer for additional features and fixes). Organizations on version 0.8.x or 1.0.0–1.0.3 should prioritize this update. Before upgrading, review your backup and change-management procedures, particularly if you have custom integrations or heavy reliance on Tables functionality. Test in a staging environment if feasible.

Patch guidance

Nextcloud provides official patch releases: upgrade to version 1.0.4 or 2.0.0+. Follow Nextcloud's documented upgrade process for your deployment model (Docker, traditional PHP hosting, snaps, etc.). Verify patch success by confirming the version string post-upgrade and auditing that filter criteria are no longer visible to read-only users. If you are on a long-term support or stable release channel, check the Nextcloud release schedule to confirm availability; if not yet released for your channel, temporarily move to a newer branch or await a backport.

Detection guidance

Monitor Nextcloud logs for access attempts to view filter definitions by read-only accounts (check `/var/www/nextcloud/data/nextcloud.log` or your log aggregation platform). Examine browser developer tools (Network/Inspector tabs) when read-only users access Tables to see if filter metadata is included in API responses or DOM elements. Review audit trails for any read-only user querying table metadata endpoints. Conduct a manual audit: log in with a read-only account, attempt to view or edit existing filtered views, and confirm whether filter criteria are exposed. Consider a security code review if you maintain a custom Nextcloud Tables plugin or extension.

Why prioritize this

While the CVSS score is MEDIUM (4.3) with no active KEV listing, this issue should receive prompt but not emergency attention. The vulnerability requires valid credentials and yields only informational exposure, making it lower-risk than critical or high-severity flaws. However, prioritize it above low-priority items if your deployment includes external or contractor read-only users, or if your tables store metadata considered confidential. Patch within your normal maintenance window (4–8 weeks) unless you have regulatory deadlines or threat intelligence indicating active scanning.

Risk score, explained

CVSS 3.1 score of 4.3 (MEDIUM) reflects: network-accessible API (AV:N), no special conditions or exploitation difficulty (AC:L), requirement for prior authentication as read-only user (PR:L), no user interaction needed (UI:N), unchanged security scope (S:U), and low confidentiality impact with no integrity or availability impact (C:L/I:N/A:N). The score appropriately penalizes the information disclosure while acknowledging that read-only access is a prerequisite and the leaked data does not directly compromise user data or system function. Not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of June 2026, indicating no public, weaponized exploits are yet in circulation.

Frequently asked questions

Do we need to patch immediately, or can we schedule this during our next maintenance window?

Given the MEDIUM severity and low exploitation risk (requires valid credentials, informational only), you can safely schedule this within your standard patch cycle—typically 4–8 weeks. However, if your Nextcloud instance is internet-facing and you grant read-only table access to external partners or contractors, prioritize it to the upper end of your window. Emergency patching is not necessary unless you detect active exploitation attempts.

How do we verify that our read-only users can no longer see filter criteria after patching?

Create a test account with read-only permissions on a table with existing filters. Log in as that account and attempt to open or inspect the view definition. Before the patch, the filter criteria should be visible; after patching, they should be hidden or inaccessible. You can also inspect the network requests in your browser's developer tools to confirm that filter metadata is no longer returned in API responses.

What if we're running Nextcloud Tables as part of a larger Nextcloud installation? Do we need to upgrade the entire Nextcloud suite?

Tables is a component of Nextcloud, but you typically do not need to upgrade your entire Nextcloud core installation if a Tables-specific fix is available. Verify your Nextcloud version and the bundled or separately-installed Tables version. Follow the Nextcloud upgrade instructions for your deployment model; many installations can update Tables independently of the core. Consult the official Nextcloud release notes to confirm version compatibility.

Does this vulnerability allow read-only users to modify or delete data, or is it purely a view/access issue?

This is purely an information disclosure vulnerability. The filter criteria exposure does not grant read-only users the ability to modify, delete, or access restricted data itself—only the metadata describing how views are filtered. Read-only permissions remain enforced for actual data operations. The risk is reconnaissance and potential compliance violations, not unauthorized data manipulation.

This analysis is provided for informational purposes and represents a synthesis of publicly available CVE data, vendor advisories, and general security best practices as of June 2026. Actual vulnerability severity, exploitability, and remediation timelines may vary based on your specific Nextcloud deployment, configuration, and access controls. Verify all patch version numbers, compatibility, and upgrade procedures directly against official Nextcloud release notes and security advisories before implementing changes. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends consulting with your Nextcloud vendor or a qualified security professional for deployment-specific guidance. This is not a substitute for professional security advice or penetration testing. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).