Skip to main content

Nextcloud Circles CVE-2026-45285

| EUVDEUVD-2026-33709 MEDIUM
Missing Authorization (CWE-862)
2026-06-01 GitHub_M
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:32 vuln.today
Analysis Generated
Jun 01, 2026 - 19:32 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team’s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3.

AnalysisAI

Nextcloud's Circles (Teams) sharing feature silently generates unauthenticated public access links when folders are shared with a Team containing external email-only members, links which are never surfaced in the sharing UI and cannot be revoked by the folder owner. Affected are Nextcloud versions 32.0.0-32.0.8 and 33.0.0-33.0.2 with the Circles app in use. Any party who receives or intercepts the emailed link obtains full read, write, delete, reshare, and download access to the shared folder without a Nextcloud account, and the folder owner has no visibility or revocation path through normal interfaces. No public exploit identified at time of analysis; the issue was disclosed via HackerOne.

Technical ContextAI

The vulnerability resides in the Nextcloud Circles app (also marketed as Teams), which provides group-based sharing across Nextcloud. External members - users identified only by email address who lack Nextcloud accounts - are a supported member type in a Circle. The root cause, classified under CWE-862 (Missing Authorization), is that the ShareByCircleProvider's create() method automatically assigned a share token (equivalent to a public-link token) to every circle share record in the oc_share database table when an external member was present. This token was never rendered in the sharing UI, leaving the folder owner unaware of its existence. The token granted access equivalent to the Team's full permission set (read, write, delete, reshare, download), bypassing the expected Nextcloud account authentication. The PR diff at github.com/nextcloud/circles/pull/2454 confirms the fix: token generation was removed from ShareByCircleProvider::create(), and a live migration class RemoveShareTokens was introduced to NULL out all existing tokens for TYPE_CIRCLE shares in the database on upgrade.

RemediationAI

Upgrade Nextcloud to version 32.0.9 or 33.0.3, which contain the patched Circles app. The upgrade automatically executes the RemoveShareTokens live migration, which NULLs all existing share tokens for TYPE_CIRCLE shares in the oc_share table in batches of 1000 rows, thereby invalidating any pre-existing invisible public links - no manual revocation is required post-upgrade. The upstream code change is documented at https://github.com/nextcloud/circles/pull/2454 and the advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r3xh-x86g-hw4m. As an immediate workaround prior to patching, administrators can disable the addition of external email-only members to Circles via Nextcloud admin settings; this prevents new invisible links from being generated but does not revoke tokens already created. Note that disabling external members will break existing collaboration workflows for any Teams currently using them. Alternatively, administrators can directly query the oc_share table and NULL the token column for all rows where share_type matches TYPE_CIRCLE, replicating the migration manually, though this approach carries database modification risk and should be tested in a non-production environment first.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-45285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy