Unauthorized Access Risk in Nextcloud Collaboration Platform
CVE-2026-45285

6.4MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45285?

Nextcloud, an open-source content collaboration platform, has a significant vulnerability that affects its file sharing functionality. Versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2 are impacted, as the platform automatically creates a public link for external users when a folder or file is shared. This public link is not visible to the folder owner, which means they are unaware of its existence. This can lead to unauthorized access by an attacker who intercepts the link, enabling them to read, write, delete, reshare, and download all data within the shared folder without authenticating. The issue highlights a serious risk in handling external collaborations, particularly as the folder owner lacks visibility and control over the link generated. The vulnerability has been addressed in subsequent versions 32.0.9 and 33.0.3.

Affected Version(s)

security-advisories >= 32.0.0, < 32.0.9 < 32.0.0, 32.0.9

security-advisories >= 33.0.0, < 33.0.3 < 33.0.0, 33.0.3

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/circles/pull/2454
x_refsource_MISC
https://hackerone.com/reports/3625932
x_refsource_MISC

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.