Authentication Bypass Vulnerability in Nextcloud Server
CVE-2026-45690

5.9MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45690?

Nextcloud Server, a popular open-source content collaboration platform, is vulnerable to an authentication bypass flaw. This vulnerability affects versions 32.0.0 to 32.0.8 and 33.0.0 to 33.0.2. An attacker aware of a user's password may exploit this flaw to bypass two-factor authentication (2FA). When logging in with valid credentials on a 2FA-enabled account, the system generates a temporary session token before requiring the second authentication factor. This token can be compromised, allowing unauthorized access to protected endpoints via HTTP Basic Authentication. Users are advised to upgrade to versions 32.0.9 or 33.0.3 to mitigate this risk.

Affected Version(s)

security-advisories >= 32.0.0, < 32.0.9 < 32.0.0, 32.0.9

security-advisories >= 33.0.0, < 33.0.3 < 33.0.0, 33.0.3

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/59758
x_refsource_MISC
https://hackerone.com/reports/3639301
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.