Skip to main content

Nextcloud user_oidc EUVDEUVD-2026-33710

| CVE-2026-45284 MEDIUM
Improper Access Control (CWE-284)
2026-06-01 GitHub_M
4.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:32 vuln.today
Analysis Generated
Jun 01, 2026 - 19:32 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.

AnalysisAI

Authentication bypass in Nextcloud's user_oidc app (versions 1.3.6 through 8.3.x) allows users deleted from LDAP to continue authenticating via OpenID Connect. The root cause is a boolean logic inversion in LdapService.php - the condition isLDAPEnabled() was used instead of !isLDAPEnabled(), causing the LDAP deletion check to execute only when LDAP was inactive, effectively skipping it in every real-world deployment. No public exploit code has been identified at time of analysis; the issue was responsibly disclosed via HackerOne report #3554696.

Technical ContextAI

The vulnerability resides in the user_oidc Nextcloud application (CPE: cpe:2.3:a:nextcloud:security-advisories), which integrates OpenID Connect single sign-on with Nextcloud's LDAP user provisioning backend. CWE-284 (Improper Access Control) describes the class of failure precisely: the access control gate responsible for enforcing LDAP account lifecycle - specifically, user deletion - was rendered non-functional by a single inverted boolean in lib/Service/LdapService.php. The diff from GitHub PR #1340 shows the entire fix is changing if ($this->isLDAPEnabled()) to if (!$this->isLDAPEnabled()), meaning that prior to the patch, the deletion-enforcement block was entered only when LDAP was disabled, leaving deleted LDAP users entirely unchecked during OIDC authentication flows when LDAP was active.

RemediationAI

Upgrade the Nextcloud user_oidc app to version 8.4.0, the vendor-released patch confirmed by GitHub PR #1340 (https://github.com/nextcloud/user_oidc/pull/1340) and security advisory GHSA-79xf-ffj8-96fm. As a temporary compensating control, administrators may disable the user_oidc app entirely and revert to LDAP-native authentication flows; this eliminates the vulnerable code path but disrupts OIDC-based SSO for all users. A narrower mitigation is to audit active OIDC sessions and forcibly invalidate sessions belonging to accounts recently removed from LDAP - this reduces exposure without full service disruption but requires manual or scripted session management. There is no known configuration flag to enable correct deletion-check behavior without applying the patch; the flaw is in application logic, not a configurable parameter.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

EUVD-2026-33710 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy