CVE-2026-45159
Improper Access Control in Nextcloud End-to-End Encrypted Files Drop
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | end_to_end_encryption | From 1.15.0 (inc) to 1.15.4 (exc) |
| nextcloud | end_to_end_encryption | From 1.16.0 (inc) to 1.16.3 (exc) |
| nextcloud | end_to_end_encryption | From 1.17.0 (inc) to 1.17.1 (exc) |
| nextcloud | end_to_end_encryption | From 1.18.0 (inc) to 1.18.1 (exc) |
| nextcloud | end_to_end_encryption | to 1.15.4 (inc) |
| nextcloud | end_to_end_encryption | to 1.16.3 (inc) |
| nextcloud | end_to_end_encryption | to 1.17.1 (inc) |
| nextcloud | end_to_end_encryption | to 1.18.1 (inc) |
| nextcloud | end_to_end_encryption | to 2.0.0-rc.7 (inc) |
| nextcloud | nextcloud | From 1.15.0 (inc) to 1.15.4 (exc) |
| nextcloud | nextcloud | From 1.16.0 (inc) to 1.16.3 (exc) |
| nextcloud | nextcloud | From 1.17.0 (inc) to 1.17.1 (exc) |
| nextcloud | nextcloud | From 1.18.0 (inc) to 1.18.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45159 is a vulnerability in Nextcloud's End-to-End Encryption app affecting versions from 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1.
A malicious user who has access to an end-to-end encrypted files drop link could exploit this vulnerability to drop files into other end-to-end encrypted folders owned by the share owner. However, the attacker could not read or modify existing files, only add new ones.
This issue is caused by an authorization bypass where the system fails to properly restrict access based on user-controlled keys, identified as CWE-639.
The vulnerability has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
How can this vulnerability impact me? :
This vulnerability allows an attacker with access to a files drop share link to add unauthorized files into other end-to-end encrypted folders of the share owner.
While the attacker cannot read or modify existing files, the ability to add files could lead to confusion, storage of malicious content, or disruption of the intended file structure.
The CVSS score of 3.5 indicates a low severity impact, requiring network access, low privileges, and user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Nextcloud End-to-End Encryption app to one of the patched versions.
- Upgrade to version 1.15.4 or later in the 1.15.x series.
- Upgrade to version 1.16.3 or later in the 1.16.x series.
- Upgrade to version 1.17.1 or later in the 1.17.x series.
- Upgrade to version 1.18.1 or later in the 1.18.x series.
- Alternatively, upgrade to version 2.0.0-rc.7 or later.
No workarounds are available, so applying the update is the only recommended mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a malicious user with access to an end-to-end encrypted files drop link to add files into other end-to-end encrypted folders of the share owner without permission. Although reading or modifying existing files is not possible, unauthorized file addition could potentially lead to unauthorized data being introduced into a user's encrypted environment.
This unauthorized file addition could impact compliance with data protection standards such as GDPR or HIPAA by undermining the integrity and control of encrypted data environments. Specifically, it may violate principles of data integrity and access control, which are critical for maintaining compliance with these regulations.
However, the CVE description and resources do not explicitly mention compliance impacts or regulatory considerations.