Nextcloud Server Vulnerability Allowing Unauthorized Attachment Access
CVE-2026-45282

6.5MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45282?

An access control vulnerability exists in Nextcloud Server, allowing authenticated attackers to access specific attachments from link shares if they have the share token. This vulnerability affects versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. While attackers can exploit this by knowing a document ID they own, the means to access shared folders is limited unless they can guess a document ID of a file within. This ensures a level of difficulty for exploitation but emphasizes the need for users to upgrade to the recommended versions for enhanced security.

Affected Version(s)

security-advisories >= 32.0.0, < 32.0.9 < 32.0.0, 32.0.9

security-advisories >= 33.0.0, < 33.0.3 < 33.0.0, 33.0.3

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/text/pull/8499
x_refsource_MISC
https://hackerone.com/reports/3577244
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.