Access Control Vulnerability in Nextcloud's Content Collaboration Platform
CVE-2026-45157

6.3MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45157?

Nextcloud, an open-source content collaboration platform, is affected by an access control vulnerability. Users with malicious intent may exploit this flaw when they gain access to a file share, allowing them to manipulate the share token to bypass access controls. This grants unauthorized visibility into temporary part files during ongoing uploads, risking the integrity and confidentiality of sensitive information. To mitigate this issue, users are strongly advised to upgrade to the latest releases: 32.0.9 or 33.0.3 for Nextcloud Server, and 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3 for Nextcloud Enterprise Server.

Affected Version(s)

security-advisories >= 32.0.0, < 32.0.9 < 32.0.0, 32.0.9

security-advisories >= 33.0.0, < 33.0.3 < 33.0.0, 33.0.3

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/59780
x_refsource_MISC
https://hackerone.com/reports/3483708
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.