MEDIUM 6.8

CVE-2026-45810: Nextcloud Comment Authorization Bypass (CVSS 6.8)

Nextcloud Server contains an authorization flaw that allows any authenticated user with access to a single file comment to read all comments across the system. The vulnerability stems from missing validation when retrieving comment data, effectively breaking comment-level access controls. An attacker needs valid Nextcloud credentials and interaction with at least one comment, but can then enumerate and read comments they should not have permission to access. This affects Nextcloud Server 31.0.0 through 31.0.11 and 32.0.0 through 32.0.2, with critical patches available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.8 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Weaknesses (CWE)
CWE-639
Affected products
2 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a missing authorization check (CWE-639) in Nextcloud Server's comment retrieval mechanism. When processing comment data, the application fails to validate whether the requesting user has permission to access a specific comment before returning its content. Because the check is missing rather than misconfigured, an authenticated session is sufficient to bypass the intended access boundary. The flaw operates at the API or data-layer level where comments are fetched, allowing enumeration and disclosure of all system comments regardless of file or user isolation. The requirement for user interaction (clicking or navigating to a comment) reflects the CVSS rating's UI component, though the underlying exposure is structural.

Business impact

Comment data often contains sensitive discussions—project decisions, code reviews, security notes, or administrative decisions—intended to remain visible only to specific teams or file collaborators. Unauthorized access to this metadata can expose strategic information, compliance discussions, or embarrassing internal communications. For enterprises using Nextcloud as a regulated content repository, this may trigger breach notification obligations depending on comment content classification. The reputational and compliance risk is elevated in sectors handling sensitive data (healthcare, legal, finance). The fix is straightforward and non-disruptive, making remediation a business priority rather than a technical burden.

Affected systems

Nextcloud Server versions 31.0.0 through 31.0.11 and 32.0.0 through 32.0.2 are vulnerable. Nextcloud Enterprise Server is affected across multiple legacy versions (21.0.9.20 and earlier, 22.2.10.35 and earlier, 23.0.12.31 and earlier, 24.0.12.30 and earlier, 25.0.13.25 and earlier, 26.0.13.22 and earlier, 27.1.11.22 and earlier, 28.0.14.13 and earlier, 29.0.16.10 and earlier, 30.0.17.5 and earlier). Self-hosted and on-premises Nextcloud deployments are directly affected; Nextcloud cloud services' patch status should be verified with the vendor. Older enterprise versions likely receive less frequent security attention, making inventory accuracy critical.

Exploitability

Exploitation requires valid Nextcloud credentials—no unauthenticated attack is possible. The attacker must have interacted with at least one comment (viewed or accessed it), which creates a UI interaction requirement. Once that initial interaction occurs, the missing authorization check allows the attacker to systematically retrieve all comments in the system via repeated requests. The barrier to exploitation is low for internal threats or compromised accounts, and moderate for external attackers who must first obtain credentials. No known public exploit code exists at this time, though the vulnerability is straightforward to demonstrate once authenticated.

Remediation

Upgrade Nextcloud Server to 31.0.12 or 32.0.3 immediately. For Enterprise Server, upgrade to the patched version corresponding to your branch: 31.0.12, 32.0.3, or the earliest patched version in your supported track (verify against vendor advisory for your specific version line). Test patches in a staging environment first to confirm compatibility with custom apps or extensions. After patching, no data cleanup is required; the fix restores proper authorization checks going forward. Consider auditing comment access logs if available to identify unauthorized reads during the vulnerability window.

Patch guidance

Nextcloud Server users should prioritize upgrading to 31.0.12 (for 31.x) or 32.0.3 (for 32.x) as a routine maintenance task—no emergency intervention is needed if comment data is not highly classified. Enterprise Server administrators should consult the vendor's security advisory to identify the correct patched version for their supported branch and test in staging before production deployment. Verify patch application by confirming version numbers post-upgrade and, where possible, testing comment access restrictions with a test user account. If running unsupported versions, contact vendor support for extended security updates or plan a version upgrade.

Detection guidance

Monitor Nextcloud access logs for unusual patterns of comment retrieval requests (high frequency, sequential access across unrelated files, or requests from unexpected user accounts). Check for API calls to comment endpoints (typically /ocs/v2.php/apps/comments/api/v1/comments or equivalent) with parameter combinations that suggest enumeration. If detailed audit logging is available, flag sessions that access comments outside the user's normal file collaboration scope. In post-incident analysis, cross-reference comment access logs against user permission matrices to identify unauthorized reads. Nextcloud activity logs should retain sufficient history to detect exploitation, though log retention policies vary by deployment.

Why prioritize this

Although classified as MEDIUM severity, this vulnerability should be addressed with moderate-to-high priority because it enables direct unauthorized access to communication records. Comments often contain sensitive information (decisions, reviews, embarrassing discussions) that users assume is restricted. The fix is non-disruptive and available immediately, removing any excuse for delay. Organizations with strict data classification or regulatory requirements (healthcare, legal, finance) should treat this as higher priority. Low-privilege attackers (disgruntled employees, compromised contractor accounts) can exploit this with minimal effort once inside, making proactive patching a control against insider risk.

Risk score, explained

The CVSS:3.1 score of 6.8 (MEDIUM) reflects: (1) network-accessible attack vector and low attack complexity—any authenticated user can exploit; (2) low privilege requirement but mandatory user interaction (clicking a comment); (3) high confidentiality impact—all comments become readable; (4) no integrity or availability impact—data is not modified or deleted; and (5) changed scope—an unauthenticated file viewer's privileges are extended to view comments beyond their scope. The score is appropriately conservative because the attack requires prior authentication and user interaction, but the scope change and high confidentiality impact justify MEDIUM rather than LOW. Organizations handling sensitive information may evaluate this as functionally higher-risk than the score suggests.

Frequently asked questions

Do we need to restart Nextcloud after applying the patch?

Nextcloud patches typically do not require a restart, though restarting the web server or application service after upgrade is a best practice to ensure all processes load the new code. Consult your deployment guide and test in staging first to confirm your specific environment.

Can an attacker see comments if they do not have access to the underlying file?

Yes, that is the vulnerability. The missing authorization check allows an attacker with any file comment access to read all comments in the system, regardless of whether they have permission to access the files those comments are attached to. The patch restores the boundary.

Does this vulnerability affect file content or only comments?

Only comments are affected. File content access controls remain intact. However, comments themselves may contain sensitive information (decisions, code snippets, or metadata) that users intended to keep restricted.

Is there a workaround if we cannot patch immediately?

No reliable workaround exists short of restricting comment functionality entirely (not recommended). Patching is the only remediation. If you cannot patch in the short term, prioritize reducing the number of users with comment access and audit who has accessed comments during the window of vulnerability.

This analysis is based on vendor-supplied CVE data and security advisories as of the publication date. Patch version numbers and affected version ranges are sourced directly from the Nextcloud security advisory and should be verified before deployment. CVSS scores reflect scoring conventions and may not capture all organizational risk factors; consider your data classification and regulatory environment when prioritizing remediation. SEC.co does not provide guaranteed vulnerability detection or forensic analysis; use in conjunction with your own vulnerability management and security assessment processes. Always test patches in a non-production environment before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).