CVE-2026-45157
Deferred Deferred - Pending Action
Information Disclosure in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45157
EUVD
EUVD-2026-33676
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
nextcloud enterprise_server From 26.0.0 (inc) to 33.0.3 (exc)
nextcloud server 32.0.9
nextcloud server 33.0.3
nextcloud server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud server From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud enterprise_server 26.0.13.26
nextcloud enterprise_server 27.1.11.25
nextcloud enterprise_server 28.0.14.17
nextcloud enterprise_server 29.0.16.16
nextcloud enterprise_server 30.0.17.9
nextcloud enterprise_server 31.0.14.5
nextcloud enterprise_server From 32.0.9 (inc) to 33.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Nextcloud Server versions 32.0.0 to before 32.0.9 and 33.0.0 to before 33.0.3, as well as certain Nextcloud Enterprise Server versions. When a malicious user has access to a file share of another user, they can misuse the share token to access temporary part files used during ongoing uploads. This happens because of improper access control, allowing unauthorized viewing of these temporary upload files.

The vulnerability requires low privileges and user interaction but can lead to a high impact on confidentiality since sensitive temporary files can be exposed.

Impact Analysis

If exploited, this vulnerability allows an attacker with access to a shared file to view temporary upload files that they should not normally see. This can lead to unauthorized disclosure of sensitive data during file uploads.

The impact is primarily on confidentiality, as the attacker can access parts of files being uploaded temporarily. The integrity and availability of the system are less affected.

Detection Guidance

There are no specific detection commands or methods provided to identify this vulnerability on your network or system.

The vulnerability involves unauthorized access to temporary upload files via valid share tokens in affected Nextcloud versions, which requires having access to a file share.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade your Nextcloud Server or Enterprise Server to a patched version.

  • Upgrade Nextcloud Server to version 32.0.9 or 33.0.3 or later.
  • Upgrade Nextcloud Enterprise Server to one of the patched versions: 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9, or 33.0.3.

No workarounds are provided, so applying the official patches is the primary mitigation.

Compliance Impact

This vulnerability allows unauthorized access to temporary upload files of the share owner by a malicious user who has access to a shared file. Such unauthorized access to confidential data can lead to breaches of data privacy and confidentiality requirements.

Since regulations like GDPR and HIPAA mandate strict controls over personal and sensitive data to prevent unauthorized access and data leaks, this vulnerability could negatively impact compliance by exposing sensitive information during ongoing uploads.

Organizations using affected versions of Nextcloud Server or Enterprise Server should upgrade to patched versions to mitigate this risk and maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45157. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart