Skip to main content

Nextcloud User OIDC EUVDEUVD-2026-33675

| CVE-2026-45156 HIGH
Improper Authentication (CWE-287)
2026-06-01 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 18:01 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 17:19 vuln.today
Analysis Generated
Jun 01, 2026 - 17:19 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.

AnalysisAI

Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicious ID4me authority to impersonate arbitrary users due to missing JWT signature verification in the ID4me login flow. The flaw stems from a literal 'TODO: VALIATE SIGNATURE!' code comment that left ID tokens accepted without cryptographic validation, enabling identity spoofing once a victim is redirected through the attacker-controlled authority. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Stand up or hijack ID4me authority
Delivery
Lure victim to ID4me login
Exploit
Return forged unsigned ID token
Execution
Bypass missing signature check
Persist
Session issued as target user
Impact
Access victim files and shares

Vulnerability AssessmentAI

Exploitation The Nextcloud instance must have the user_oidc app installed and the ID4me login flow enabled (a non-default, opt-in federation mode); standard OIDC provider configurations in the same app are not the vulnerable path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) reflects network-reachable, low-complexity, unauthenticated exploitation with high confidentiality and integrity impact - appropriate for an account-takeover primitive - but the UI:R requirement and the prerequisite that the Nextcloud instance has the User OIDC app installed and ID4me enabled substantially narrow real-world exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up (or compromises) an ID4me identity authority and induces a Nextcloud user - or simply initiates the flow themselves - to complete an ID4me login that points discovery at the attacker-controlled authority. The authority returns an unsigned or attacker-signed JWT whose 'sub' claim matches a high-value target account; the vulnerable Id4meController::code() handler skips signature verification and logs the attacker into Nextcloud as that user, granting access to their files, shares, and collaboration data. …
Remediation Vendor-released patches are available: upgrade the user_oidc app to 3.1.0, 4.1.0, 5.1.0, 6.4.0, or 8.3.0 depending on the major version line currently deployed, per the advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgv-fqwp-mjpp and PR https://github.com/nextcloud/user_oidc/pull/1285. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Nextcloud deployments running OIDC app versions 0.3.0-3.0.x, 5.0.0-5.0.x, or 6.0.0-6.3.x to identify systems using ID4me as an authentication provider. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2025-66208 CRITICAL
9.8 Dec 03

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing

CVE-2025-66550 MEDIUM POC
5.7 Dec 05

A security vulnerability in Nextcloud Calendar (CVSS 5.7). Risk factors: public PoC available. Vendor patch is available

CVE-2019-25368 MEDIUM POC
5.4 Feb 15

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attacker

CVE-2026-28474 CRITICAL
9.3 Mar 05

Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to

CVE-2026-45545 HIGH
8.2 Jun 01

SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitr

CVE-2026-45281 HIGH
8.1 Jun 01

Improper authorization in the Nextcloud Server CalDAV backend allows an authenticated user who knows another user's prin

CVE-2025-66554 LOW POC
3.5 Dec 05

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5

CVE-2026-45722 HIGH
7.1 Jun 01

Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing a

CVE-2026-45810 MEDIUM
6.8 Jun 01

Comment authorization bypass in Nextcloud Server 31.x and 32.x allows authenticated low-privilege users to read all file

CVE-2026-45282 MEDIUM
6.5 Jun 01

Nextcloud Server's link share attachment access bypasses password protection and download restrictions for authenticated

CVE-2026-45275 MEDIUM
6.5 Jun 01

Privilege escalation in the Nextcloud Approval app (prior to version 2.7.2) allows authenticated users who lack sharing

Share

EUVD-2026-33675 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy