CVE-2026-45155
Missing Access Check Allows Circle Membership in Nextcloud Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | enterprise_server | From 29.0.0 (inc) |
| nextcloud | enterprise_server | 32.0.7 |
| nextcloud | enterprise_server | 33.0.1 |
| nextcloud | server | From 32.0.0 (inc) to 32.0.7 (exc) |
| nextcloud | server | From 33.0.0 (inc) to 33.0.1 (exc) |
| nextcloud | enterprise_server | 29.0.16.14 |
| nextcloud | enterprise_server | 30.0.17.8 |
| nextcloud | enterprise_server | 31.0.14.3 |
| nextcloud | enterprise_server | From 32.0.7 (inc) |
| nextcloud | enterprise_server | From 33.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Nextcloud Server involves a missing access check at the API level that allows an attacker to add unknown circles by their ID directly to other circles.
Circle IDs have a very high complexity (62^15), so exploitation is unlikely without prior access to a valid circle ID from another source.
If an attacker obtains a circle ID, they could use this vulnerability to track memberships by adding circles without proper authorization.
How can this vulnerability impact me? :
The impact of this vulnerability is relatively low, with a CVSS score of 2.6.
An attacker with low privileges and some user interaction could potentially add unknown circles to other circles, which might allow tracking of circle memberships if they have access to circle IDs.
This could lead to unauthorized information disclosure about group memberships within the Nextcloud environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a missing access check on the API level that allows adding unknown circles by their ID directly to other circles. Detection would require monitoring API calls related to circle membership modifications.
Since the vulnerability exploits the ability to add circle members by their ID, detection could involve inspecting API request logs for unusual or unauthorized circle ID additions.
No specific commands or detection tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Nextcloud Server to version 32.0.7 or 33.0.1, or Nextcloud Enterprise Server to one of the patched versions (29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1).
As a workaround, users can disable the circles app to prevent exploitation of this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.