Skip to main content

Nextcloud Server EUVDEUVD-2026-33716

| CVE-2026-45690 MEDIUM
Improper Authentication (CWE-287)
2026-06-01 GitHub_M
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:30 vuln.today
Analysis Generated
Jun 01, 2026 - 19:30 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

AnalysisAI

Two-factor authentication bypass in Nextcloud Server 32.0.0-32.0.8 and 33.0.0-33.0.2 allows an authenticated attacker who possesses a valid user password to fully circumvent 2FA protections and gain unauthorized account access. During the login sequence, Nextcloud creates a temporary session token after credential validation but before the second factor is enforced; this token was not restricted from use in HTTP Basic Authentication or Bearer-header flows, enabling replay to authenticated API endpoints and effectively nullifying the 2FA control. Vendor-released patches exist as 32.0.9 and 33.0.3; no public exploit identified at time of analysis, though the fix PR makes the exploit mechanism technically transparent.

Technical ContextAI

Nextcloud Server is a self-hosted PHP collaboration platform. The vulnerability resides in lib/private/User/Session.php, specifically within the logClientIn() and tryTokenLogin() methods. CWE-287 (Improper Authentication) accurately captures the root cause: the authentication subsystem failed to enforce a critical distinction between token types. The PublicKeyToken class internally distinguishes TEMPORARY_TOKEN (issued transiently after password validation, before 2FA completion), PERMANENT_TOKEN, and ONETIME_TOKEN (the legitimate token types for API and HTTP Basic Auth access). The flaw allowed a TEMPORARY_TOKEN to authenticate HTTP Basic Auth and Bearer-header requests without ever satisfying the 2FA challenge. The published fix in PR #59758 introduces explicit type-gating in two locations: logClientIn() now rejects any PublicKeyToken that is not PERMANENT_TOKEN or ONETIME_TOKEN, and tryTokenLogin() explicitly blocks TEMPORARY_TOKEN tokens arriving via a non-cookie source (i.e., Basic Auth or Authorization header). The CPE reported is cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:* as catalogued under the GitHub advisory program.

RemediationAI

Vendor-released patches are available and should be applied immediately. Nextcloud Server should be upgraded to version 32.0.9 or 33.0.3. Nextcloud Enterprise Server customers should upgrade to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 depending on their deployed branch. The upstream code fix is documented in GitHub PR #59758 (https://github.com/nextcloud/server/pull/59758) and the authoritative security advisory is at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jgcj-v42r-9922. If immediate patching is not feasible, a targeted compensating control is to block or restrict HTTP Basic Authentication and Bearer-header token requests at the reverse proxy or WAF layer; however, this will break legitimate API clients including DAV sync clients, mobile apps, and third-party integrations that use app tokens, and requires careful testing before deployment. Disabling 2FA entirely is not a mitigation - it simply removes the control being bypassed. There is no rate-limiting or network-layer compensating control that addresses the token-type confusion at the application layer.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

EUVD-2026-33716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy