Skip to main content

Nextcloud Groupfolders CVE-2026-45264

| EUVDEUVD-2026-33671 MEDIUM
Improper Access Control (CWE-284)
2026-06-01 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 18:01 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 17:25 vuln.today
Analysis Generated
Jun 01, 2026 - 17:25 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4.

AnalysisAI

Rename permission bypass in Nextcloud's team folder (groupfolders) feature allows authenticated low-privileged users holding READ and CREATE permissions to rename files in team folders even when UPDATE permission is explicitly denied. Affecting Nextcloud versions 17.0.0 through 21.0.3, the flaw originates from a single-character bitwise operator error in ACLStorageWrapper.php - a & used instead of | when evaluating combined permission flags effectively nullifies the UPDATE permission check. No public exploit identified at time of analysis; vendor-released patches are available across all affected version branches.

Technical ContextAI

The vulnerability resides in the groupfolders (team folders) plugin's lib/ACL/ACLStorageWrapper.php, specifically in the rename() method's ACL permission check. Nextcloud uses bitmask constants to represent permissions (READ, CREATE, UPDATE, etc.); combining them correctly requires bitwise OR (|) to check that a user holds all required permissions. The defective code used bitwise AND (&) between PERMISSION_UPDATE and PERMISSION_READ, which - since these are distinct non-overlapping bit flags - evaluates to zero, causing checkPermissions() to receive a trivially-satisfied operand and bypass the UPDATE requirement entirely. CWE-284 (Improper Access Control) is the accurate root cause class: the access control boundary between CREATE and UPDATE permissions is not correctly enforced at the storage wrapper layer. The CPE string cpe:2.3:a:nextcloud:security-advisories covers the Nextcloud application suite as reported by NVD.

RemediationAI

Upgrade Nextcloud to one of the vendor-patched releases: 17.0.15, 18.1.12, 19.1.16, 20.1.11, or 21.0.4, which incorporate the corrected bitwise OR operator in ACLStorageWrapper.php via groupfolders PR #4361 (https://github.com/nextcloud/groupfolders/pull/4361). Full vendor advisory is at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx2x-822r-rvmf. If an immediate upgrade cannot be applied, the most targeted compensating control is to audit team folder ACL configurations and remove CREATE permission from any user who does not also hold UPDATE permission - this eliminates the exploitable READ+CREATE-without-UPDATE permission subset, though it restricts legitimate file creation for those users. Alternatively, temporarily revoking groupfolders access for sensitive team folders until the patch is applied eliminates exposure entirely, at the cost of disrupting collaboration workflows.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-45264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy