Skip to main content

Nextcloud E2EE App EUVDEUVD-2026-33677

| CVE-2026-45159 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 GitHub_M
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 18:01 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 17:21 vuln.today
Analysis Generated
Jun 01, 2026 - 17:21 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.

AnalysisAI

Unauthorized file injection in the Nextcloud end-to-end encryption application (versions 1.15.0-1.18.x) allows a low-privileged user possessing a valid E2EE files drop share link to write files into other E2EE-encrypted folders owned by the same share owner. The impact is strictly integrity-limited - confidentiality is unaffected and existing files cannot be read or modified - consistent with the CVSS score of 3.5 (Low). No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; it was responsibly disclosed via HackerOne report #3304830.

Technical ContextAI

The vulnerability resides in MetaDataController.php within Nextcloud's end_to_end_encryption application. The root cause, CWE-639 (Authorization Bypass Through User-Controlled Key), stems from the original getOwnerId() method resolving share ownership solely from a shareToken without verifying that the caller-supplied fileId parameter fell within the scope of that share. A valid file drop token - which should only authorize writes to its specifically shared E2EE folder - could therefore be submitted alongside an arbitrary fileId referencing a different E2EE folder owned by the same user, bypassing the intended folder scope boundary. The fix introduced in PR #1395 replaces getOwnerId() with getFileDropOwnerId(), which enforces four explicit guards: (1) the share must carry CREATE permission, (2) the share root must be a Folder node, (3) that folder must be encrypted, and (4) the requested fileId must equal the share root or be a descendant node returned by getFirstNodeById() - preventing any out-of-scope folder targeting. Affected CPE: cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade the Nextcloud end-to-end encryption app to the vendor-released patched versions: 1.15.4, 1.16.3, 1.17.1, 1.18.1, or 2.0.0-rc.7, selecting the branch that corresponds to your current deployment. The upstream source fix is documented in PR #1395 at https://github.com/nextcloud/end_to_end_encryption/pull/1395 and the full vendor advisory is at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p3qw-7gwx-wg24. If immediate patching is not feasible, a targeted compensating control is to disable or revoke all end-to-end encrypted files drop shares (i.e., create-only share links targeting E2EE folders) until the patch is applied - this eliminates the attack vector entirely since the exploit requires a valid drop link as its entry point. The trade-off is that external collaborators lose the ability to submit files via drop links until patching is complete.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

EUVD-2026-33677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy