Missing Access Check in Nextcloud Server Affects Content Collaboration
CVE-2026-45155

2.6LOW

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45155?

Nextcloud Server, a popular open-source content collaboration platform, contains a vulnerability due to a missing access check at the API level. This issue allows users to directly add unknown circles by their ID to other circles, potentially leading to unauthorized access to membership tracking. The unique complexity of circle IDs (62^15) reduces the likelihood of exploitation, but if an attacker gains access to a specific ID through other means, they could exploit this vulnerability. Users of Nextcloud Server are advised to upgrade to version 32.0.7 or 33.0.1 to mitigate this risk effectively. For Nextcloud Enterprise users, it is crucial to update to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1.

Affected Version(s)

security-advisories >= 32.0.0, < 32.0.7 < 32.0.0, 32.0.7

security-advisories >= 33.0.0, < 33.0.1 < 33.0.0, 33.0.1

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/circles/pull/2401
x_refsource_MISC
https://hackerone.com/reports/3511998
x_refsource_MISC

CVSS V3.1

Score:
2.6
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.