CVE-2026-45156
Authentication Bypass in Nextcloud via OIDC
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | user_oidc | From 0.3.0 (inc) to 3.1.0 (exc) |
| nextcloud | user_oidc | From 5.0.0 (inc) to 5.1.0 (exc) |
| nextcloud | user_oidc | From 6.0.0 (inc) to 6.4.0 (exc) |
| nextcloud | user_oidc | 3.1.0 |
| nextcloud | user_oidc | 4.1.0 |
| nextcloud | user_oidc | 5.1.0 |
| nextcloud | user_oidc | 6.4.0 |
| nextcloud | user_oidc | 8.3.0 |
| nextcloud | nextcloud | From 0.3.0 (inc) to 3.1.0 (exc) |
| nextcloud | nextcloud | From 5.0.0 (inc) to 5.1.0 (exc) |
| nextcloud | nextcloud | From 6.0.0 (inc) to 6.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Nextcloud User OIDC app where a missing signature verification allowed a malicious ID4me authority to impersonate any user. Essentially, the system did not properly verify the authenticity of login tokens, enabling attackers to bypass authentication by presenting forged tokens.
The issue affected multiple versions of Nextcloud and was fixed by adding signature validation to the ID4ME login tokens, ensuring that only properly signed tokens are accepted.
How can this vulnerability impact me? :
This vulnerability can lead to an authentication bypass, allowing attackers to impersonate any user without proper credentials.
- Attackers can gain unauthorized access to user accounts.
- Sensitive data and content collaboration resources may be exposed.
- It can result in a loss of trust and potential data breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade Nextcloud to one of the patched versions: 3.1.0, 4.1.0, 5.1.0, 6.4.0, or 8.3.0.
As a temporary workaround, users can disable the ID4me feature to prevent exploitation until an upgrade is possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a malicious ID4me authority to impersonate any user due to missing signature verification in the User OIDC app, leading to an authentication bypass.
Such an authentication bypass can result in unauthorized access to sensitive user data, which may violate data protection requirements under regulations like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of personal or protected health information, potentially causing non-compliance with these standards.
Upgrading to patched versions or disabling the ID4me feature is advised to mitigate this risk and maintain compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to a missing signature verification in the User OIDC app for Nextcloud, allowing a malicious ID4me authority to impersonate any user. Detection would primarily involve verifying the version of the User OIDC app installed on your Nextcloud instance.
To detect if your system is vulnerable, check the installed version of the User OIDC app. Versions before 3.1.0, 5.1.0, 6.4.0, and 8.3.0 are vulnerable.
Suggested commands to check the installed version on your Nextcloud server might include:
- Using the Nextcloud command line tool to list installed apps and their versions: `sudo -u www-data php /var/www/nextcloud/occ app:list`
- Checking the version of the user_oidc app specifically: `sudo -u www-data php /var/www/nextcloud/occ app:info user_oidc`
Additionally, monitoring authentication logs for suspicious ID4me login attempts or unexpected user impersonation events could help detect exploitation attempts, but no specific network detection commands or signatures are provided in the available resources.