Skip to main content

Nextcloud Server EUVDEUVD-2026-33708

| CVE-2026-45283 MEDIUM
Improper Authentication (CWE-287)
2026-06-01 GitHub_M
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:33 vuln.today
Analysis Generated
Jun 01, 2026 - 19:33 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1

AnalysisAI

Nextcloud Server's files_lock application failed to enforce file ownership during WebDAV DAV lock and unlock operations, allowing any authenticated low-privilege account to lock or unlock files belonging to other users by referencing their absolute WebDAV paths. Affected releases span Nextcloud Server 32.0.0-32.0.1 and 33.0.0, plus Nextcloud Enterprise Server in the 31.0.x, 32.x, and 33.x lines prior to their respective patches. Compounding the flaw, lock tokens were leaked in server error responses, enabling an attacker to silently remove token-based locks placed by legitimate sync clients - disrupting collaborative workflows without direct file access. No public exploit code or CISA KEV listing exists at time of analysis.

Technical ContextAI

The vulnerability resides in the files_lock app's FileService.php, specifically the getFileFromUri() method. The pre-patch code extracted the $userId directly from the caller-supplied WebDAV URI string using PHP's explode() function: [$root, $userId, $path] = explode('/', trim($uri, '/') . '/', 3). This meant the system trusted the user identifier embedded in the path rather than the authenticated session identity - a classic confused-deputy pattern. The fix enforces session-derived identity: $userId = $this->userSession->getUser()->getUID(), ignoring the path-supplied value entirely. WebDAV LOCK and UNLOCK are standard HTTP extension methods defined in RFC 4918 and are used extensively by Nextcloud desktop sync clients and WebDAV-aware applications for collaborative file access serialization. The root cause is classified as CWE-287 (Improper Authentication): the server authenticated the requesting user but failed to verify authorization over the targeted resource, treating path-parsed identity as equivalent to session identity.

RemediationAI

Upgrade Nextcloud Server to version 32.0.2 or 33.0.1, or Nextcloud Enterprise Server to 31.0.14.4, 32.0.2, or 33.0.1 - all confirmed patched releases per the vendor advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4chh-6mhf-p4jj. The upstream code fix is available in PR #1007 at https://github.com/nextcloud/files_lock/pull/1007. If immediate upgrade is not feasible, administrators should disable the files_lock app via the Nextcloud admin panel; this eliminates the attack surface entirely but also disables WebDAV-based file locking for all sync clients and WebDAV applications, potentially disrupting collaborative workflows that depend on it. Restricting WebDAV endpoint access to trusted IP ranges or requiring VPN authentication reduces exposure but does not eliminate risk since the attacker only requires a valid Nextcloud account - not network privilege escalation.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-33708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy