CVE-2026-45690: Nextcloud 2FA Bypass via Session Token Replay
Nextcloud Server contains an authentication bypass flaw that lets attackers with a valid password defeat two-factor authentication (2FA). During login, the system temporarily grants a session token before asking for the second factor. An attacker who intercepts this token can replay it using HTTP Basic Authentication to access the account without providing the 2FA code. This affects Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2, as well as older Enterprise Server branches. The vulnerability requires knowledge of the user's password, limiting opportunistic exploitation but creating a material risk for password-compromised accounts.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
- Weaknesses (CWE)
- CWE-287
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from a session token issuance logic flaw in Nextcloud's authentication workflow. When a user submits valid credentials on an account with 2FA enabled, the server creates a temporary authenticated session token before enforcing the secondary challenge. This token is not sufficiently scoped or time-limited to prevent replay. An attacker who obtains this token—either through network interception, logging, or memory dumps during the authentication window—can submit it via HTTP Basic Authentication headers to authenticated API endpoints, bypassing the second factor requirement entirely. The vulnerability is categorized as CWE-287 (Improper Authentication), reflecting a fundamental flaw in session lifecycle management.
Business impact
This vulnerability degrades the security posture of deployments relying on 2FA to protect sensitive collaboration data and user accounts. Organizations using Nextcloud for regulated workloads (healthcare, finance, legal) face compliance implications if 2FA bypass occurs. The risk is elevated in environments where password compromise is likely—phishing campaigns, credential stuffing, or insider threats—since the second factor becomes ineffective. Affected users cannot trust 2FA as a compensating control; attackers need only the password. This may trigger incident response, user notification, and potential re-authentication of all active sessions.
Affected systems
Vulnerable versions: Nextcloud Server 32.0.0–32.0.8 and 33.0.0–33.0.2; Nextcloud Enterprise Server 33.0.0–33.0.2, 32.0.0–32.0.8, 31.x before 31.0.14.5, 30.x before 30.0.17.9, and 29.x before 29.0.16.16. Self-hosted and cloud deployments are affected. Organizations running Server editions outside the vulnerable ranges and those already updated to 33.0.3, 32.0.9, or the specified Enterprise versions are not affected.
Exploitability
Exploitability is moderate. An attacker must already possess the target user's password, limiting exploitation to scenarios involving credential compromise. However, once the password is known, the attack is straightforward: send a login request, capture the temporary token from the server response or session storage, and replay it via HTTP Basic Authentication. No user interaction or complex techniques are required beyond the initial password acquisition. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the simplicity of the attack vector suggests it could be weaponized rapidly if publicly disclosed attack code emerges.
Remediation
Upgrade Nextcloud Server to version 33.0.3, 32.0.9, or later. Enterprise customers must upgrade to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 depending on their current release line. Administrators should also enforce password rotation for all users post-upgrade to invalidate credentials potentially exposed during the vulnerability window, and review authentication logs for suspicious token replays or unusual API access patterns. Consider temporarily enforcing additional account lockout policies or monitoring for 2FA bypass attempts during the upgrade window.
Patch guidance
Verify your current Nextcloud Server version via Administration > Overview or the config.php file. If running version 32.0.x, update to 32.0.9 or migrate to the 33.x line (33.0.3+). If running 33.0.x, update to 33.0.3. Enterprise customers should consult their release notes and apply the corresponding patch for their branch (31.0.14.5, 30.0.17.9, 29.0.16.16, or later). Test patches in a non-production environment first, as authentication changes may affect integrations. Plan for a maintenance window; authenticated sessions may need refresh post-patch.
Detection guidance
Search authentication logs and web server logs for: (1) HTTP Basic Auth requests to /ocs or /remote.php/webdav endpoints occurring seconds after a login attempt; (2) multiple API calls from the same user account originating from different IP addresses within a short time window; (3) successful API authentication that bypassed the expected 2FA challenge endpoint. Enable verbose logging for authentication events in Nextcloud's config.php (set 'loglevel' to DEBUG). Review Nextcloud audit logs in Administration > Logging for 'login' and 'app_enabled' events. Check reverse proxy and WAF logs for replayed Authorization headers.
Why prioritize this
This vulnerability merits prompt patching despite its MEDIUM CVSS score (5.9). The attack surface is limited to password-compromised accounts, but the security impact is high: 2FA, a foundational defense, is completely bypassed. In regulated environments or organizations with strict authentication controls, this represents a direct control failure. The patch is straightforward and poses low regression risk. Prioritize patching for instances serving sensitive data or user populations with high-value credentials. Standard business systems should patch within two weeks.
Risk score, explained
The CVSS 3.1 score of 5.9 (MEDIUM) reflects the authentication requirement (attacker must know the password; PR:L), high attack complexity (requires token interception; AC:H), and limited impact scope (integrity high, confidentiality low, availability none; S:U/C:L/I:H/A:N). While the score is moderate, context matters: 2FA bypass justifies elevated concern in organizations relying on Nextcloud for compliance or sensitive collaboration. The KEV catalog does not list this vulnerability, suggesting limited real-world exploitation as of the assessment date, but the exploit pathway is trivial once credentials are obtained.
Frequently asked questions
Can an attacker exploit this without knowing the user's password?
No. The attacker must already possess valid credentials for the target account. This limits exploitation to scenarios where passwords have been compromised via phishing, data breaches, or insider threats. The vulnerability does not enable password-less or unauthenticated access.
Does upgrading immediately revoke the temporary tokens that were issued before patching?
Upgrading patches the token issuance logic going forward, preventing new bypass attempts. However, tokens issued before the upgrade may remain valid until their natural expiry. After patching, consider forcing a global re-authentication via Administration > Users or terminating active sessions to revoke pre-patch tokens. Verify your Nextcloud version's session management documentation for specific guidance.
How does this differ from a standard account compromise?
Standard compromise means the attacker has full account access with all privileges. This vulnerability allows an attacker with only the password to bypass 2FA, gaining access without the second factor. If 2FA was your only defense against credential compromise, this vulnerability eliminates that control. Accounts with additional protections (IP whitelisting, device fingerprinting) may still be partially defended.
Is there a workaround if I cannot patch immediately?
No safe workaround exists. Disabling 2FA is not recommended and defeats the purpose. Consider temporarily restricting API access via reverse proxy or WAF rules, narrowing authentication methods to OAuth2 or SAML if available, or implementing network-level access controls. However, these are not substitutes for patching; prioritize applying the vendor patch as soon as feasible.
This analysis is based on vendor advisory data and CVE records as of the publication date. SEC.co does not provide exploit code or weaponized proof-of-concepts. Patch version numbers and supported branches are subject to change; verify against official Nextcloud release notes and your vendor support documentation. This vulnerability analysis is for informational purposes and should not substitute for a complete security assessment of your Nextcloud deployment. Test all patches in a non-production environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45283MEDIUMNextcloud File Lock Authorization Bypass
- CVE-2026-45691MEDIUMNextcloud 2FA Bypass via Session Cookie Reuse on DAV Endpoints
- CVE-2023-5502MEDIUMArista EOS 802.1x Authentication Bypass Vulnerability
- CVE-2026-10283MEDIUMBottelet DaybydayCRM Authentication Bypass in Settings Handler
- CVE-2026-10548MEDIUMImproper Authentication in NousResearch hermes-agent Credential Synchronization
- CVE-2026-45153MEDIUMNextcloud Android Files App PIN Bypass via Back Button
- CVE-2026-45289MEDIUMCloudburstMC Protocol Authentication Validation Bypass (MEDIUM)
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk