Skip to main content

Nextcloud Collectives CVE-2026-45154

| EUVDEUVD-2026-33673 LOW
Improper Access Control (CWE-284)
2026-06-01 GitHub_M
2.6
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.6 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 18:01 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 17:19 vuln.today
Analysis Generated
Jun 01, 2026 - 17:19 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0.

AnalysisAI

Nextcloud Collectives versions 2.6.0 through 4.3.0 (exclusive) exposes deleted collective pages to unauthorized guests via a missing permission check in the public trash controller. Guests granted view-only access to a shared collective can bypass deletion-based access controls by directly querying trashbin endpoints, reading content that was intentionally removed. CVSS scores this at 2.6 (Low) with no public exploit identified at time of analysis and no CISA KEV listing, placing real-world priority at the lower end of the risk spectrum.

Technical ContextAI

Nextcloud Collectives is a Nextcloud application providing collaborative wiki-style page management. The vulnerability resides in PublicPageTrashController.php, where the trash retrieval path for public (guest) users omitted a call to checkEditPermissions() before serving deleted page content. CWE-284 (Improper Access Control) precisely describes this root cause: the access control gate enforced for active pages was simply absent on the trashbin endpoint. The PR diff at https://github.com/nextcloud/collectives/pull/2432 confirms the fix was a single-line addition of checkEditPermissions() to the relevant controller branch, demonstrating the narrowness of the oversight. The affected CPE is cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:* per NVD, though functionally this is the Collectives component specifically.

RemediationAI

Upgrade Nextcloud Collectives to version 4.3.0, which introduces the missing checkEditPermissions() call in PublicPageTrashController.php as confirmed by the upstream fix at https://github.com/nextcloud/collectives/pull/2432. The vendor-released patch is version 4.3.0 per the security advisory GHSA-8mpv-ggq8-hf3w. If immediate upgrade is not possible, a compensating control is to revoke all view-only guest sharing of collectives containing sensitive pages and avoid sharing collectives where deleted-page confidentiality is a concern. Disabling the public share link for sensitive collectives entirely eliminates the exposed attack surface, though this removes intended collaboration functionality for those collectives.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-45154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy