Improper Authentication in Nextcloud Affected by LDAP User Management
CVE-2026-45284

4.6MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45284?

Nextcloud, a widely-used open source content collaboration platform, is impacted by a significant vulnerability that allows users relying on LDAP authentication to retain access via OpenID Connect (OIDC) even after their user accounts have been deleted. This vulnerability exists in versions 1.3.6 through to just before version 8.4.0, which has addressed the issue. Users are encouraged to update to the latest version to mitigate potential risks from unauthorized access.

Affected Version(s)

security-advisories >= 1.3.6, < 8.4.0

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/user_oidc/pull/1340
x_refsource_MISC
https://hackerone.com/reports/3554696
x_refsource_MISC

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.