Skip to main content

Nextcloud Server CVE-2026-45157

| EUVDEUVD-2026-33676 MEDIUM
Improper Access Control (CWE-284)
2026-06-01 GitHub_M
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 18:01 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 17:26 vuln.today
Analysis Generated
Jun 01, 2026 - 17:26 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3

AnalysisAI

Unauthorized chunking upload access in Nextcloud Server allows an authenticated share recipient to read temporary part files during another user's active file upload. Affecting versions 32.0.0-32.0.8 and 33.0.0-33.0.2, the flaw stems from the WebDAV chunking upload collection failing to restrict directory listing or GET requests on intermediate upload objects when accessed via a share token - a boundary the fix explicitly closes by blocking reads on FutureFile and UploadFile node types. No public exploit has been identified and no CISA KEV listing exists at time of analysis, but the high confidentiality impact (CVSS C:H) means sensitive in-transit file contents are fully exposed to any malicious share recipient who times access during an active upload.

Technical ContextAI

Nextcloud's WebDAV layer uses a chunking upload v2 mechanism implemented in apps/dav/lib/Upload/ChunkingV2Plugin.php, backed by the SabreDAV library. When a user uploads a large file, chunks are written as temporary FutureFile and UploadFile objects under the /remote.php/dav/uploads/ collection. Prior to the fix, the UploadHome collection permitted child enumeration and the ChunkingV2Plugin registered no beforeMethod:GET guard on these intermediate node types - meaning any requester authenticating to the DAV layer via a share token (rather than a full user session) could list active upload sessions and retrieve partial file contents. CWE-284 (Improper Access Control) applies directly: the access control boundary between share-scoped tokens and the upload namespace was entirely absent. The published PR diff at https://github.com/nextcloud/server/pull/59780 confirms the fix adds a beforeGet hook throwing MethodNotAllowed for FutureFile and UploadFile nodes, sets disableListing = true on the root upload collection, and throws MethodNotAllowed on child enumeration in UploadHome. The affected CPE is cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: Nextcloud Server (Community) 32.0.9 or 33.0.3. Nextcloud Enterprise Server users should upgrade to the appropriate branch release: 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9, or 33.0.3, as confirmed by the vendor advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-45pj-p7x7-4mhc. The upstream fix is available at https://github.com/nextcloud/server/pull/59780 and has been merged; patched release versions are confirmed by the vendor. Where immediate patching is not feasible, administrators can disable file sharing and share link creation entirely via Nextcloud admin settings under Sharing - this eliminates the share token attack surface but will break all legitimate external and internal share functionality, which is a significant operational trade-off. There is no known surgical workaround that blocks chunking upload access via share tokens while preserving normal share behavior without applying the patch.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-45157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy