MEDIUM 5.9

CVE-2026-45691: Nextcloud 2FA Bypass via Session Cookie Reuse on DAV Endpoints

Nextcloud Server contains a session management flaw that allows attackers to bypass two-factor authentication (2FA). When a user logs in with their password but hasn't completed TOTP verification yet, a temporary session cookie is created. An attacker with legitimate credentials can capture or reuse this intermediate cookie as a Bearer token to directly access file storage endpoints (DAV), gaining unauthorized read and write access while completely circumventing the mandatory 2FA requirement. This affects Nextcloud Server versions 32.0.0–32.0.8 and 33.0.0–33.0.2, as well as several Enterprise Server releases.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Weaknesses (CWE)
CWE-287
Affected products
2 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper session token handling during the 2FA flow. After password authentication succeeds but before TOTP completion, Nextcloud issues a pre-2FA session cookie intended only for completing the authentication challenge. However, this cookie is accepted by WebDAV/CalDAV/CardDAV endpoints (DAV protocol handlers) as a valid Bearer token without re-validating the 2FA requirement. An authenticated attacker can extract or replay this intermediate session state to directly invoke DAV operations, effectively treating the incomplete authentication as fully authenticated. The flaw is rooted in CWE-287 (Improper Authentication) and reflects a disconnect between session state validation in the authentication middleware and resource-access control layers.

Business impact

For organizations relying on Nextcloud for sensitive document collaboration or compliance-sensitive workflows, this flaw materially undermines the security model. Mandatory 2FA is often deployed to meet regulatory requirements (SOC 2, ISO 27001, HIPAA) or internal security policy. An insider or compromised low-privilege account holder can access and modify shared files and calendars without completing 2FA, creating audit failures and data integrity risks. The flaw is particularly concerning in multi-tenant or federated deployments where users may access shared repositories. Incident response becomes complicated when file modifications cannot be reliably attributed to authenticated users who completed full authentication.

Affected systems

Nextcloud Server: versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. Nextcloud Enterprise Server: versions 29.0.0–29.0.16.15, 30.0.0–30.0.17.8, 31.0.0–31.0.14.4, 32.0.0–32.0.8, and 33.0.0–33.0.2. Self-hosted and cloud-hosted instances using affected versions are at risk. Environments with enforced 2FA policies or high-value collaborative repositories face the greatest exposure.

Exploitability

Exploitation requires valid user credentials and network access to the Nextcloud instance. The attacker must log in, intercept or observe the pre-2FA session cookie during the brief window before TOTP completion, and then use that cookie in a DAV request. While this does require legitimate account access and some timing awareness, the attack surface is real in environments with shared workstations, compromised accounts, or insider threats. The CVSS score of 5.9 (MEDIUM) reflects the requirement for prior authentication (PR:L) and high complexity (AC:H), but acknowledges the high integrity impact (I:H) once achieved. No public exploit code is currently tracked in CISA KEV as of this writing.

Remediation

Upgrade immediately to patched versions: Nextcloud Server 32.0.9 or later, or 33.0.3 or later. For Enterprise Server customers, apply 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 respectively. The fix involves enforcing 2FA completion checks within the DAV authentication handler and preventing pre-2FA session tokens from being accepted as valid Bearer credentials for resource access. Organizations should validate patches in a staging environment before production rollout to ensure no disruption to active collaborations or integrations.

Patch guidance

1. Review your current Nextcloud version (Administration → Overview or Settings → About). 2. If running Server version 32.x, upgrade to 32.0.9+. If running 33.x, upgrade to 33.0.3+. For Enterprise customers on versions 29–32, consult the corresponding patch levels listed above. 3. Test in a non-production environment first, especially if you use third-party DAV clients, mobile apps, or integrations. 4. After upgrading, verify that 2FA enforcement is still active and that DAV clients re-authenticate properly. 5. Monitor logs for any pre-2FA session token reuse attempts in the days following the upgrade to detect exploitation attempts against the old code.

Detection guidance

1. Log Analysis: Search for DAV endpoint requests (e.g., /remote.php/dav/) immediately after failed or incomplete 2FA flows. Correlate session IDs and IP addresses to identify reuse of intermediate session tokens. 2. Access Control Audits: Review file and calendar modification logs for changes attributed to users who did not complete 2FA during the relevant time window. 3. Session Monitoring: Enable verbose authentication logging and track the lifecycle of session tokens from login through 2FA completion. Flag cases where Bearer tokens are presented without a corresponding successful TOTP entry. 4. Endpoint Monitoring: Watch for DAV requests that lack or bypass the typical 2FA challenge flow in request headers or session state.

Why prioritize this

Although the CVSS score is MEDIUM (5.9), this vulnerability warrants high priority because it directly undermines a fundamental security control (2FA) that many organizations mandate for compliance and risk management. The attack surface includes any environment with shared credentials, insider threats, or lateral movement scenarios. The impact—unauthorized read/write access to collaborative data—can affect data integrity, audit trails, and regulatory compliance. Organizations with stringent access controls or classified/sensitive data repositories should treat this as urgent. The fact that it is not yet in CISA KEV does not diminish the risk; it reflects the relative recency of the disclosure.

Risk score, explained

CVSS 5.9 MEDIUM reflects: (1) Network accessibility (AV:N), making remote exploitation possible; (2) High complexity (AC:H), requiring specific timing, valid credentials, and token interception; (3) Low privilege required (PR:L), confirming the need for a valid account; (4) High integrity impact (I:H), as attackers can modify files and calendar entries; (5) Low confidentiality (C:L) and no availability impact. The score appropriately captures the authentication bypass aspect, but security teams should elevate their internal risk rating if they operate multi-tenant, high-value, or compliance-sensitive Nextcloud instances.

Frequently asked questions

Can this vulnerability be exploited remotely without a valid user account?

No. An attacker must possess valid Nextcloud credentials to log in and capture the pre-2FA session cookie. However, this includes compromised low-privilege accounts, shared credentials, or insider threats—all realistic scenarios in many organizations.

Does enabling 2FA on my account automatically protect me?

Enabling 2FA is the correct security practice, but this vulnerability exists precisely because 2FA is not fully enforced during the session lifecycle. Your files and calendars can be accessed if an attacker intercepts your pre-2FA session cookie. Upgrade to the patched version to restore proper 2FA enforcement.

Will my DAV clients (mobile apps, desktop sync, calendar integrations) continue to work after I apply the patch?

Yes. DAV clients that complete the full authentication flow—including TOTP entry—will function normally. Some older or misconfigured clients that re-use stale session tokens may need reconfiguration, but this is an expected side effect of closing a security hole.

Is there a workaround if I cannot patch immediately?

A practical mitigation is to restrict DAV access to specific IP ranges or require VPN connectivity, reducing the attack surface. However, this does not close the underlying flaw. Patching should be prioritized; if immediate patching is impossible, isolate high-risk Nextcloud instances or disable 2FA temporarily only as a last resort while you plan an upgrade.

This analysis is based on publicly disclosed CVE-2026-45691 information as of the published date. Patch version numbers and affected version ranges are sourced from the official Nextcloud security advisory and should be verified against your vendor's official channels before deployment. This document does not constitute vendor-specific security guidance; consult Nextcloud's official documentation and support for environment-specific recommendations. Proof-of-concept details are intentionally omitted. Security teams are responsible for validating patches in their own environments before production rollout. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).