CVE-2026-45155
Deferred Deferred - Pending Action
Missing Access Check Allows Circle Membership in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45155
EUVD
EUVD-2026-33674
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
nextcloud enterprise_server From 32.0.7 (inc) to 33.0.1 (inc)
nextcloud enterprise_server to 29.0.16.14 (inc)
nextcloud enterprise_server to 30.0.17.8 (inc)
nextcloud enterprise_server to 31.0.14.3 (inc)
nextcloud server to 32.0.7 (inc)
nextcloud server to 33.0.1 (inc)
nextcloud enterprise_server From 29.0.0 (inc)
nextcloud enterprise_server 32.0.7
nextcloud enterprise_server 33.0.1
nextcloud server From 32.0.0 (inc) to 32.0.7 (exc)
nextcloud server From 33.0.0 (inc) to 33.0.1 (exc)
nextcloud enterprise_server 29.0.16.14
nextcloud enterprise_server 30.0.17.8
nextcloud enterprise_server 31.0.14.3
nextcloud enterprise_server From 32.0.7 (inc)
nextcloud enterprise_server From 33.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Server involves a missing access check at the API level that allows an attacker to add unknown circles by their ID directly to other circles.

Circle IDs have a very high complexity (62^15), so exploitation is unlikely without prior access to a valid circle ID from another source.

If an attacker obtains a circle ID, they could use this vulnerability to track memberships by adding circles without proper authorization.

Impact Analysis

The impact of this vulnerability is relatively low, with a CVSS score of 2.6.

An attacker with low privileges and some user interaction could potentially add unknown circles to other circles, which might allow tracking of circle memberships if they have access to circle IDs.

This could lead to unauthorized information disclosure about group memberships within the Nextcloud environment.

Detection Guidance

This vulnerability involves a missing access check on the API level that allows adding unknown circles by their ID directly to other circles. Detection would require monitoring API calls related to circle membership modifications.

Since the vulnerability exploits the ability to add circle members by their ID, detection could involve inspecting API request logs for unusual or unauthorized circle ID additions.

No specific commands or detection tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Nextcloud Server to version 32.0.7 or 33.0.1, or Nextcloud Enterprise Server to one of the patched versions (29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1).

As a workaround, users can disable the circles app to prevent exploitation of this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart