Skip to main content

Nextcloud Server CVE-2026-45810

| EUVDEUVD-2026-33720 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 GitHub_M
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:29 vuln.today
Analysis Generated
Jun 01, 2026 - 19:29 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3

AnalysisAI

Comment authorization bypass in Nextcloud Server 31.x and 32.x allows authenticated low-privilege users to read all file comments system-wide, bypassing file-level access controls. Affected are Nextcloud Server 31.0.0-31.0.11 and 32.0.0-32.0.2, plus a broad range of Nextcloud Enterprise Server branches. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Nextcloud account
Delivery
Access any valid file comment via DAV endpoint
Exploit
Enumerate arbitrary comment IDs in subsequent requests
Execution
Server returns comments without objectType/objectId ownership validation
Impact
Read sensitive comment content from inaccessible files

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated Nextcloud account with at least low-privilege access (PR:L confirmed by CVSS vector) - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.8 Medium with vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N reflects a network-reachable, low-complexity attack requiring low-privilege authentication and some user interaction, producing Changed scope and High confidentiality impact with no integrity or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Nextcloud user with access to at least one file comment iterates through comment IDs by manipulating the WebDAV comment endpoint URL, requesting comment resources whose IDs fall outside their own file-access scope. Because the server previously returned any comment by numeric ID without verifying it belonged to the requested file collection, the attacker reads comments containing sensitive information such as internal project notes, shared credentials, or confidential review feedback from files they cannot otherwise open. …
Remediation Vendor-released patch: Nextcloud Server 31.0.12 or 32.0.3 for community editions; Nextcloud Enterprise Server users should upgrade to the patched release for their branch (21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12, or 32.0.3). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2025-66208 CRITICAL
9.8 Dec 03

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing

CVE-2025-66550 MEDIUM POC
5.7 Dec 05

A security vulnerability in Nextcloud Calendar (CVSS 5.7). Risk factors: public PoC available. Vendor patch is available

CVE-2019-25368 MEDIUM POC
5.4 Feb 15

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attacker

CVE-2026-28474 CRITICAL
9.3 Mar 05

Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to

CVE-2026-45545 HIGH
8.2 Jun 01

SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitr

CVE-2026-45281 HIGH
8.1 Jun 01

Improper authorization in the Nextcloud Server CalDAV backend allows an authenticated user who knows another user's prin

CVE-2026-45156 HIGH
8.1 Jun 01

Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicio

CVE-2025-66554 LOW POC
3.5 Dec 05

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5

CVE-2026-45722 HIGH
7.1 Jun 01

Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing a

CVE-2026-45282 MEDIUM
6.5 Jun 01

Nextcloud Server's link share attachment access bypasses password protection and download restrictions for authenticated

CVE-2026-45275 MEDIUM
6.5 Jun 01

Privilege escalation in the Nextcloud Approval app (prior to version 2.7.2) allows authenticated users who lack sharing

Share

CVE-2026-45810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy