HIGH 7.1

CVE-2026-45722: Nextcloud Tables SQL Injection Vulnerability – Patch Guidance

A vulnerability in Nextcloud's Tables app allows authenticated users to inject malicious SQL code through the ORDER BY clause of database queries. While this type of SQL injection is more limited than typical variants—attackers can extract only small amounts of data per request or cause database delays—it still poses a meaningful confidentiality and availability risk. The flaw affects Nextcloud Tables versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1. Nextcloud has released patches that organizations should apply promptly.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Weaknesses (CWE)
CWE-89
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient input sanitization in the Tables app's query construction logic. An attacker with legitimate access to the Tables app can craft malicious ORDER BY clauses to inject SQL commands. The attack surface is constrained by the context: ORDER BY injection typically permits blind extraction (one bit of data per query, akin to blind SQL injection) or time-based inference attacks, rather than direct data exfiltration or schema enumeration. The attack requires authentication and app access, limiting exposure to insider threats or accounts with Tables privileges. The CVSS 3.1 score of 7.1 reflects high confidentiality impact, low availability impact, and a local privilege requirement—essentially degraded confidentiality within an authenticated session.

Business impact

For organizations using Nextcloud Tables as a collaborative data platform, this vulnerability could lead to unauthorized disclosure of sensitive information stored in database tables. An insider or compromised user account could systematically extract data through repeated queries. While the extraction is slower and more cumbersome than typical SQL injection, persistent attackers can still enumerate and exfiltrate information. Additionally, time-based injection could be weaponized to cause denial-of-service through resource exhaustion. In regulated environments (healthcare, finance, legal), any SQL injection—even limited—may trigger compliance violations and breach notification obligations.

Affected systems

Nextcloud Tables app in versions 0.9.0 through 0.9.6 (legacy branch) and 1.0.0 through 1.0.1 (current branch) are vulnerable. Organizations running Nextcloud deployments with Tables enabled are affected if they have not yet patched. Self-hosted Nextcloud instances are the primary target; Nextcloud GmbH's managed offerings may have been patched automatically depending on deployment timing. Other Nextcloud apps and core platform versions are not directly affected, though Tables is often enabled in collaborative deployments.

Exploitability

Exploitation requires valid Nextcloud credentials and explicit access to the Tables app. An attacker cannot exploit this remotely without authentication. Once inside Tables, the injection is straightforward to craft—simple SQL operators can be inserted into ORDER BY fields. However, extracting useful data is time-intensive; blind extraction requires many requests. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code is known to exist. The barrier to exploitation is moderate: authentication required, but no zero-day weaponization observed. Insider threats and compromised accounts pose the highest risk.

Remediation

Upgrade Nextcloud Tables immediately to version 0.9.7 (for legacy users) or 1.0.2 (for current users). Verify the installed version via Nextcloud's admin interface or command-line tools. In parallel, review access control for the Tables app: disable it for users who do not require it, and enforce strong authentication (MFA) for accounts with Tables privileges. Monitor query logs for suspicious ORDER BY patterns—extremely long or unusual clauses may indicate injection attempts. If you cannot patch immediately, consider temporarily disabling Tables until a maintenance window is available.

Patch guidance

Nextcloud provides patches in versions 0.9.7 and 1.0.2. Administrators should: (1) Back up the Nextcloud database and configuration before patching. (2) Download the patched version from the official Nextcloud repository or update through the web admin console. (3) Test the patch in a non-production environment if possible. (4) Deploy to production and verify that Tables functionality remains operational. (5) Confirm the version number post-patch via the admin settings. The patch closes the sanitization gap without requiring data migration. For those unable to patch on schedule, document the risk acceptance, enforce network segmentation limiting Tables app access, and prioritize patching in the next maintenance window.

Detection guidance

Monitor for SQL injection signatures in application logs and database query logs. Specifically, watch for: (1) ORDER BY clauses containing SQL operators (AND, OR, UNION) or timing functions (SLEEP, BENCHMARK). (2) Repeated queries from the same user over short timeframes with varying ORDER BY values. (3) Unusual database wait times or CPU spikes correlating with Tables queries. (4) Failed authentication attempts followed by successful Tables queries (sign of account compromise). Implement query-level logging if available in your Nextcloud deployment. Network intrusion detection systems with SQL injection signatures may flag suspicious traffic. Correlate access logs with database query logs to identify anomalous user behavior.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (7.1), confidentiality impact, and presence in a widely-used collaboration platform. Although exploitation is limited to authenticated users, insider threats and compromised credentials are prevalent. The tight patch availability (versions 0.9.7 and 1.0.2 already released) makes remediation straightforward, lowering friction for deployment. In regulated industries, any SQL injection—even order-by-scoped—creates compliance risk and may require incident reporting. Prioritize patching within your next change window, ideally within 7–14 days.

Risk score, explained

The CVSS 3.1 score of 7.1 reflects: (1) High confidentiality impact—authenticated users can extract database contents, albeit slowly. (2) Low availability impact—time-based injection can degrade performance but not fully block access. (3) Authentication requirement—reduces the attack surface significantly, preventing unauthenticated exploitation. (4) Network-accessible vector—typical of SaaS/web platforms. The score does not account for business context (e.g., the sensitivity of data in your Tables) or threat actor motivation; your organization's risk may be higher if Tables stores highly sensitive data or if you have elevated insider threat concern.

Frequently asked questions

Do I need to patch if I do not use the Tables app?

No, this vulnerability is specific to the Tables app. If the app is disabled or not installed, you are not affected. Verify in your Nextcloud admin interface under 'Apps' to confirm Tables status. However, if you plan to enable Tables in the future, patch proactively.

Can an attacker exploit this without a valid Nextcloud account?

No. The vulnerability requires authentication and explicit access to the Tables app. An attacker without valid credentials cannot trigger the vulnerability. This limits the risk to insiders, compromised accounts, or social engineering scenarios.

What is the difference between this SQL injection and typical SQL injection?

Typical SQL injection allows an attacker to read, modify, or delete large amounts of data quickly. ORDER BY injection is constrained: attackers extract one bit of information per query (blind injection) or induce time delays to infer data. It is slower and more noisy, but still a valid path to confidentiality breach.

If I cannot patch immediately, what should I do?

Reduce access to the Tables app: disable it for non-essential users, enforce MFA, and monitor query logs for suspicious activity. Consider network segmentation to limit who can reach Nextcloud. Document the risk and escalate patching to the next available maintenance window. Do not delay indefinitely.

This analysis is provided for informational purposes and does not constitute legal or compliance advice. Vulnerability severity and exploitability are context-dependent; your organization's risk may differ based on deployment topology, data sensitivity, and threat model. Patch versions 0.9.7 and 1.0.2 are referenced from the official CVE record; verify compatibility with your Nextcloud environment before deploying. No exploit code has been developed for this analysis. For official guidance, consult Nextcloud's security advisories and your internal security policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).