Missing Signature Verification in Nextcloud OIDC Enables User Impersonation
CVE-2026-45156

8.1HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45156?

Nextcloud, a popular open-source content collaboration platform, has been identified with a vulnerability related to missing signature verification in its User OIDC implementation. This flaw allows a malicious ID4me authority to impersonate any user, potentially leading to unauthorized access and data exposure. Users of Nextcloud versions 0.3.0 through before 3.1.0, 5.0.0 through before 5.1.0, and 6.0.0 through before 6.4.0 are particularly at risk. To mitigate this issue, users are strongly advised to upgrade to patched versions 3.1.0, 4.1.0, 5.1.0, 6.4.0, or later.

Affected Version(s)

security-advisories >= 0.3.0, < 3.1.0 < 0.3.0, 3.1.0

security-advisories >= 5.0.0, < 5.1.0 < 5.0.0, 5.1.0

security-advisories >= 6.0.0, < 6.4.0 < 6.0.0, 6.4.0

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/user_oidc/pull/1285
x_refsource_MISC
https://hackerone.com/reports/3489490
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.