CVE-2026-45159
Deferred Deferred - Pending Action
Improper Access Control in Nextcloud End-to-End Encrypted Files Drop

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45159
EUVD
EUVD-2026-33677
Affected Vendors & Products
Showing 18 associated CPEs
Vendor Product Version / Range
nextcloud end_to_end_encryption 1.15.4
nextcloud end_to_end_encryption 1.16.3
nextcloud end_to_end_encryption 1.17.1
nextcloud end_to_end_encryption 1.18.1
nextcloud end_to_end_encryption 2.0.0-rc.7
nextcloud end_to_end_encryption From 1.15.0 (inc) to 1.15.4 (exc)
nextcloud end_to_end_encryption From 1.16.0 (inc) to 1.16.3 (exc)
nextcloud end_to_end_encryption From 1.17.0 (inc) to 1.17.1 (exc)
nextcloud end_to_end_encryption From 1.18.0 (inc) to 1.18.1 (exc)
nextcloud end_to_end_encryption to 1.15.4 (inc)
nextcloud end_to_end_encryption to 1.16.3 (inc)
nextcloud end_to_end_encryption to 1.17.1 (inc)
nextcloud end_to_end_encryption to 1.18.1 (inc)
nextcloud end_to_end_encryption to 2.0.0-rc.7 (inc)
nextcloud nextcloud From 1.15.0 (inc) to 1.15.4 (exc)
nextcloud nextcloud From 1.16.0 (inc) to 1.16.3 (exc)
nextcloud nextcloud From 1.17.0 (inc) to 1.17.1 (exc)
nextcloud nextcloud From 1.18.0 (inc) to 1.18.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45159 is a vulnerability in Nextcloud's End-to-End Encryption app affecting versions from 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1.

A malicious user who has access to an end-to-end encrypted files drop link could exploit this vulnerability to drop files into other end-to-end encrypted folders owned by the share owner. However, the attacker could not read or modify existing files, only add new ones.

This issue is caused by an authorization bypass where the system fails to properly restrict access based on user-controlled keys, identified as CWE-639.

The vulnerability has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Nextcloud End-to-End Encryption app to one of the patched versions.

  • Upgrade to version 1.15.4 or later in the 1.15.x series.
  • Upgrade to version 1.16.3 or later in the 1.16.x series.
  • Upgrade to version 1.17.1 or later in the 1.17.x series.
  • Upgrade to version 1.18.1 or later in the 1.18.x series.
  • Alternatively, upgrade to version 2.0.0-rc.7 or later.

No workarounds are available, so applying the update is the only recommended mitigation.

Compliance Impact

The vulnerability allows a malicious user with access to an end-to-end encrypted files drop link to add files into other end-to-end encrypted folders of the share owner without permission. Although reading or modifying existing files is not possible, unauthorized file addition could potentially lead to unauthorized data being introduced into a user's encrypted environment.

This unauthorized file addition could impact compliance with data protection standards such as GDPR or HIPAA by undermining the integrity and control of encrypted data environments. Specifically, it may violate principles of data integrity and access control, which are critical for maintaining compliance with these regulations.

However, the CVE description and resources do not explicitly mention compliance impacts or regulatory considerations.

Impact Analysis

This vulnerability allows an attacker with access to a files drop share link to add unauthorized files into other end-to-end encrypted folders of the share owner.

While the attacker cannot read or modify existing files, the ability to add files could lead to confusion, storage of malicious content, or disruption of the intended file structure.

The CVSS score of 3.5 indicates a low severity impact, requiring network access, low privileges, and user interaction.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45159. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart