Skip to main content

Nextcloud Talk EUVDEUVD-2026-33678

| CVE-2026-45266 LOW
Improper Access Control (CWE-284)
2026-06-01 GitHub_M
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 18:01 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 17:20 vuln.today
Analysis Generated
Jun 01, 2026 - 17:20 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.

AnalysisAI

Improper access control in Nextcloud Talk's signaling layer allows a low-privileged authenticated user to forcibly mute other participants' microphones during calls on deployments without the High-performance Backend. The vulnerability exists in SignalingController::sendMessages(), which processed 'control' type signaling messages without first validating that the target session (decodedMessage['to']) was a legitimate room participant - allowing session-targeted control commands to reach arbitrary users. No public exploit or CISA KEV listing exists at time of analysis, and real-world impact is limited to call disruption with no data exposure.

Technical ContextAI

The affected component is the Nextcloud Talk application (internally named 'spreed'), which implements WebRTC-based calling using a server-side signaling controller. The vulnerable code in lib/Controller/SignalingController.php processes signaling messages via sendMessages(), routing 'control' message types between session participants. CWE-284 (Improper Access Control) applies: the original code validated the sender's session but failed to verify that decodedMessage['to'] - the target session - actually belonged to a participant in the same room before forwarding control commands. The fix introduces a getParticipantBySession() lookup for the target session and aborts message processing if the target is not a valid room participant. The vulnerability is conditional on the absence of the High-performance Backend (HPB), which implements its own signaling validation layer. CPE: cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade Nextcloud to one of the patched releases: 21.1.10, 22.0.11, or 23.0.3, as confirmed by vendor advisory GHSA-x75r-65hm-cw35 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x75r-65hm-cw35). The upstream code fix is merged in nextcloud/spreed PR #17577 (https://github.com/nextcloud/spreed/pull/17577). As an interim compensating control, deploying the Nextcloud Talk High-performance Backend (HPB) eliminates the vulnerable signaling path entirely, since HPB enforces its own participant validation - however, HPB introduces infrastructure overhead and requires additional configuration. Restricting call participation to trusted users via Nextcloud's permission system reduces exposure but does not fully remediate the flaw, as any low-privileged participant can exploit it.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

EUVD-2026-33678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy