Skip to main content

Nextcloud Server CVE-2026-45691

| EUVDEUVD-2026-33718 MEDIUM
Improper Authentication (CWE-287)
2026-06-01 GitHub_M
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:29 vuln.today
Analysis Generated
Jun 01, 2026 - 19:29 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

AnalysisAI

Two-factor authentication bypass in Nextcloud Server 32.0.0-32.0.8 and 33.0.0-33.0.2 enables a partially-authenticated attacker to access DAV endpoints (WebDAV, CalDAV, CardDAV) with full read/write privileges by reusing a pre-2FA intermediate session cookie as a Bearer token. The TEMPORARY_TOKEN issued after successful password authentication but before TOTP completion was not restricted to cookie-based requests, allowing it to be replayed in an HTTP Authorization: Bearer header against DAV APIs - entirely circumventing mandatory two-factor authentication enforcement. No public exploit has been identified at time of analysis, though a HackerOne report (3573399) documents the issue; vendor-confirmed patches are available.

Technical ContextAI

Nextcloud implements a two-phase authentication flow: after password verification, the server issues a TEMPORARY_TOKEN (a session-scoped PublicKeyToken) that persists until the user completes the second factor (e.g., TOTP). The vulnerability resides in lib/private/User/Session.php within the tryTokenLogin() method, which is responsible for authenticating DAV and API requests via Bearer token. Prior to the fix, this method lacked a type-check discriminating between TEMPORARY_TOKEN (session cookies, pre-2FA) and PERMANENT_TOKEN or ONETIME_TOKEN (app tokens, which legitimately authenticate DAV). As confirmed by PR #59758, the code introduced a $tokenFromCookie boolean flag and added an explicit guard rejecting PublicKeyTokens of type TEMPORARY_TOKEN when presented via the Bearer Authorization header rather than a session cookie. CWE-287 (Improper Authentication) applies precisely: the system accepted a credential that was not yet fully authenticated as if it were, skipping the second-factor gate.

RemediationAI

Vendor-released patches are available: Nextcloud Server should be upgraded to 32.0.9 or 33.0.3. Nextcloud Enterprise Server users should upgrade to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 depending on the branch in use. The full advisory is published at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mp6x-g55j-w9jw and the source fix is in PR #59758 at https://github.com/nextcloud/server/pull/59758. If immediate patching is not possible, a specific compensating control is to disable or restrict network access to DAV endpoints (WebDAV at /remote.php/dav, CalDAV, CardDAV) at the reverse proxy or firewall layer - this prevents Bearer token replay against those endpoints but will break calendar sync, contact sync, and file access for all clients including legitimate ones, representing a significant service disruption trade-off. There is no configuration toggle to disable pre-2FA session token Bearer acceptance without patching; the fix is exclusively a code-level change.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-45691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy