HIGH 8.2

CVE-2026-45545: Nextcloud Tables SQL Injection Vulnerability—Patch Guidance

Nextcloud Tables contains a SQL injection vulnerability that allows authenticated users with Tables app access to execute SQL queries beyond the intended 20-byte limit. By crafting specially formed input, attackers can bypass this constraint and run arbitrary database commands to steal sensitive information or alter data. The vulnerability affects multiple Nextcloud versions and has been resolved in patched releases.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-89
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45545 is a stored SQL injection vulnerability in Nextcloud Tables (CWE-89) affecting versions 0.7.0–0.7.6, 0.8.0–0.8.9, 0.9.0–0.9.7, and 1.0.0–1.0.3. The flaw exists in input validation logic that nominally restricts dynamic SQL queries to 20 bytes; however, carefully constructed payloads can circumvent this restriction. The vulnerability requires prior authentication and Tables app access. CVSS 3.1 score of 8.2 (HIGH) reflects the combination of network accessibility, authentication requirement, high confidentiality and integrity impact, and lack of availability impact.

Business impact

A compromised Nextcloud Tables installation could result in unauthorized access to sensitive data stored within the database, including user records, file metadata, and shared information. Attackers may also modify or delete data, compromising data integrity and potentially disrupting collaborative workflows. The need for prior authentication limits exposure but does not eliminate risk, particularly in environments where user account security is weak or where insider threats are a concern.

Affected systems

Nextcloud Tables versions 0.7.0 through 0.7.6, 0.8.0 through 0.8.9, 0.9.0 through 0.9.7, and 1.0.0 through 1.0.3 are affected. Patched versions are 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0. Organizations running any unpatched version in these ranges should prioritize assessment and remediation. The vulnerability does not affect Nextcloud core; it is specific to the Tables application.

Exploitability

Exploitation requires valid Nextcloud credentials and active access to the Tables app—a meaningful but not prohibitive barrier. The SQL injection mechanism is reliable once an attacker understands the bypass technique; no user interaction is needed. The CVSS vector (AC:H, PR:L) indicates moderate attack complexity and low privilege requirements. Public exploit code or detailed proof-of-concept details are not yet widely available, but the injection type is well-understood in the security community. Organizations should assume exploitation is plausible if the vulnerability remains unpatched and attacker motivation exists.

Remediation

Apply patches immediately: upgrade to versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, or 2.0.0 depending on your current release line. Nextcloud provides updates through both direct download and package managers. Prior to patching, restrict Tables app access to trusted users only and monitor database activity for unusual query patterns. Consider temporary disabling of the Tables app if immediate patching is not feasible.

Patch guidance

Verify your current Nextcloud Tables version via Administration > Apps > Tables or command-line tools. Plan a maintenance window and test patches in a non-production environment first. Upgrade sequentially through your release line if you are significantly behind the latest version; do not skip intermediate patches without vendor confirmation. After patching, verify the Tables app is functioning normally and confirm via the admin panel that you are running a patched version. Consult the official Nextcloud release notes for any additional migration or configuration guidance specific to your deployment.

Detection guidance

Monitor Nextcloud logs and database query logs for SQL syntax anomalies, particularly SELECT, INSERT, UPDATE, or DELETE statements originating from Tables app requests. Look for byte-length patterns or encoding tricks that suggest payload obfuscation. Audit access to the Tables app in user activity logs, focusing on users with recent privilege escalation or unusual login patterns. Network-level IDS/IPS rules should monitor for HTTP POST/PUT requests to Tables endpoints with suspicious parameter encoding. Implement database query auditing if available in your database platform to capture and review all dynamic queries.

Why prioritize this

CVSS 8.2 (HIGH) combined with confirmed patches and technical feasibility of exploitation merits prompt remediation. The requirement for authentication reduces but does not eliminate urgency; insider threats and credential compromise scenarios are realistic. The scope impact (changed from unchanged to changed in CVSS) indicates the attack can affect system confidentiality and integrity beyond the vulnerable component. Organizations with sensitive data in Nextcloud or high-trust user populations should prioritize this within 30 days; all others should complete remediation within 60 days.

Risk score, explained

The CVSS 3.1 score of 8.2 reflects: (1) Network vector—Tables are accessed over the network, increasing reach; (2) High attack complexity and low privilege requirement—an authenticated user with Tables access can exploit this without special conditions; (3) High impact on confidentiality and integrity—SQL injection directly enables data exfiltration and modification; (4) Scope change—the attack can affect the database and potentially other Nextcloud functions; (5) No availability impact—the vulnerability does not cause denial of service. The score does not account for exploitability in the wild or prevalence; organizations should use it as one input alongside threat landscape and asset sensitivity.

Frequently asked questions

Do I need to disable the Tables app while waiting for patches?

Not necessarily, but you should restrict access to trusted users only. If your organization has not yet deployed the Tables app widely or if patching can occur within days, waiting is reasonable. For environments with sensitive data or broad user access, temporary disabling minimizes risk. Coordinate with your user base and document the timeline for re-enabling.

Can the 20-byte limit actually be bypassed reliably, or is this a theoretical flaw?

The CVE description indicates that 'with carefully crafted input' the limit can be broken, suggesting a practical bypass exists. The Nextcloud security team has patched the vulnerability, confirming it is real and exploitable. Do not assume the constraint provides meaningful protection.

Does this vulnerability affect Nextcloud Server as a whole, or only the Tables app?

This is specific to the Tables app, a separate extension within Nextcloud. Nextcloud Server core is not directly affected. However, because Tables integrates with the Nextcloud database, a successful attack can expose data from the broader Nextcloud installation, not just Tables-specific data.

What should I do if I cannot patch immediately?

Implement compensating controls: restrict Tables app access to a small number of trusted administrators, enable detailed database and application logging to detect anomalous queries, and consider network segmentation to limit the blast radius. Set a firm deadline for patching—this vulnerability is not suitable for extended deferral. Monitor threat intelligence for any active exploitation.

This analysis is based on the CVE record and vendor advisories as of the published date. Organizations should verify patch availability and compatibility with their specific Nextcloud deployment version and configuration before applying updates. Exploit code details are not provided; this summary is for risk assessment and incident response planning only. SEC.co makes no warranty regarding the completeness or timeliness of this information. Always consult the official Nextcloud security advisory and release notes for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).