Skip to main content

Nextcloud Server CVE-2026-45155

| EUVDEUVD-2026-33674 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 GitHub_M
2.6
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.6 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 18:01 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 17:20 vuln.today
Analysis Generated
Jun 01, 2026 - 17:20 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1

AnalysisAI

Nextcloud Server's Circles app exposes a missing access control check on the member-add API endpoint, allowing an authenticated user to add an arbitrary circle - identified only by its internal ID - as a member of another circle without verifying that the requesting user has any relationship to the target circle. Affected versions span 32.0.0-32.0.6 and 33.0.0, with Enterprise editions from 29.x through 31.x also impacted. Exploitation is severely constrained by the 62^15 entropy of circle IDs, making the vulnerability practically exploitable only when an attacker has obtained a valid circle ID through a separate information-disclosure path, at which point they could track or infer circle membership relationships. No public exploit exists and this is not listed in CISA KEV.

Technical ContextAI

The Nextcloud Circles app (a social graph and collaboration grouping feature within Nextcloud Server) exposes a REST API via LocalController.php for adding members to circles. The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key): the API accepted a caller-supplied circle ID as the subject of a member-add operation of type TYPE_CIRCLE without performing a server-side access or existence check on that ID. The fix (PR #2401) inserts a call to circleService->getCircle($userId) before proceeding whenever the member type is TYPE_CIRCLE, enforcing that the target circle is resolvable and accessible. Circle IDs carry approximately 62^15 bits of entropy by default, which makes unaided enumeration computationally infeasible, but the API design flaw still constitutes an authorization-by-obscurity anti-pattern. The affected CPE is cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade Nextcloud Server to version 32.0.7 or 33.0.1 (vendor-released patches). Enterprise Server users should upgrade to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1 depending on their release track. The upstream fix is available in pull request https://github.com/nextcloud/circles/pull/2401 and is confirmed merged. If immediate upgrade is not feasible, a targeted compensating control is to audit and restrict API access to the Circles member-add endpoints at the reverse proxy or firewall level to authenticated internal network users only, reducing the network-reachable attack surface; however, this trades off legitimate remote collaboration functionality. Additionally, reviewing application and server logs for anomalous circle-member-add API calls referencing circle IDs not associated with the requesting user's visible circles may help detect any prior exploitation attempts.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-45155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy