Session Management Flaw in Nextcloud Server by Nextcloud
CVE-2026-45691

5.9MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45691?

A session management vulnerability exists in Nextcloud Server that allows an attacker to exploit a pre-2FA session cookie. This cookie, generated after successful password authentication but before completing Time-based One-Time Password (TOTP) verification, can be reused as a Bearer token to gain unauthorized read/write access to DAV endpoints. This flaw enables bypassing of mandatory two-factor authentication, which compromises the security of the application. Users are strongly encouraged to upgrade to Nextcloud Server versions 33.0.3 or 32.0.9, and the Nextcloud Enterprise Server to at least versions 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 to mitigate this vulnerability.

Affected Version(s)

security-advisories >= 32.0.0, < 32.0.9 < 32.0.0, 32.0.9

security-advisories >= 33.0.0, < 33.0.3 < 33.0.0, 33.0.3

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/59758
x_refsource_MISC
https://hackerone.com/reports/3573399
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.