CVE-2026-45264
Privilege Escalation in Nextcloud Team Folder
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | team_folders | From 17.0.0 (inc) to 17.0.15 (exc) |
| nextcloud | team_folders | From 18.0.0 (inc) to 18.1.12 (exc) |
| nextcloud | team_folders | From 19.0.0 (inc) to 19.1.16 (exc) |
| nextcloud | team_folders | From 20.0.0 (inc) to 20.1.11 (exc) |
| nextcloud | team_folders | From 21.0.0 (inc) to 21.0.4 (exc) |
| nextcloud | team_folders | 17.0.15 |
| nextcloud | team_folders | 18.1.12 |
| nextcloud | team_folders | 19.1.16 |
| nextcloud | team_folders | 20.1.11 |
| nextcloud | team_folders | 21.0.4 |
| nextcloud | nextcloud | From 17.0.0 (inc) to 17.0.15 (exc) |
| nextcloud | nextcloud | From 18.0.0 (inc) to 18.1.12 (exc) |
| nextcloud | nextcloud | From 19.0.0 (inc) to 19.1.16 (exc) |
| nextcloud | nextcloud | From 20.0.0 (inc) to 20.1.11 (exc) |
| nextcloud | nextcloud | From 21.0.0 (inc) to 21.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows users with READ and CREATE permissions, but without UPDATE permission, to rename files within a team folder due to improper access control. While this issue has a moderate severity rating (CVSS score 4.3) and impacts integrity, it does not affect confidentiality or availability.
Because the vulnerability does not impact confidentiality or availability of data, it is less likely to directly violate compliance requirements related to data privacy and protection such as GDPR or HIPAA. However, the ability to rename files without proper authorization could affect data integrity and audit controls, which are important aspects of compliance.
Organizations relying on Nextcloud Team Folders should apply the patches or disable the app to maintain proper access controls and ensure compliance with standards that require strict permission enforcement and data integrity.
Can you explain this vulnerability to me?
This vulnerability affects Nextcloud's Team Folders app, where users who have READ and CREATE permissions but do not have UPDATE permission can still rename files within a team folder. This is a permission bypass issue caused by improper access control.
It impacts multiple versions of Nextcloud from 17.0.0 up to but not including certain patched versions (17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4). The flaw allows unauthorized renaming of files despite lacking the necessary UPDATE permission.
How can this vulnerability impact me? :
The vulnerability allows users with limited permissions to rename files in team folders without proper authorization. While it does not affect confidentiality or availability, it can lead to unauthorized modification of file names, potentially causing confusion, disruption of workflows, or mismanagement of files.
Because the attack complexity is low and only requires limited privileges, it poses a moderate risk that could be exploited by insiders or users with some access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper access control in Nextcloud's Team Folders app, allowing users with READ and CREATE permissions but without UPDATE permission to rename files. Detection would involve verifying the version of the Team Folders app and checking user permissions on team folders.
To detect if your system is vulnerable, first identify the Nextcloud version and Team Folders app version installed. Versions from 17.0.0 up to but not including 17.0.15, 18.0.0 up to 18.1.12, 19.0.0 up to 19.1.16, 20.0.0 up to 20.1.11, and 21.0.0 up to 21.0.4 are affected.
You can check the Nextcloud version by running a command on the server hosting Nextcloud, for example:
- sudo -u www-data php /path/to/nextcloud/occ status
Replace "/path/to/nextcloud/" with the actual path to your Nextcloud installation. This command outputs the current Nextcloud version.
To check user permissions on team folders, you would need to review the Team Folders app configuration and user ACLs, which might require inspecting the database or using Nextcloud's administrative interface.
There are no specific network commands or signatures provided in the resources to detect exploitation attempts directly on the network.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the primary recommendation is to update the Nextcloud Team Folders app to a patched version.
- Update Team Folders to version 17.0.15, 18.1.12, 19.1.16, 20.1.11, or 21.0.4 or later, depending on your Nextcloud version.
- If immediate updating is not possible, consider disabling the Team Folders app temporarily to prevent exploitation.
These steps address the improper access control issue that allows renaming files without UPDATE permission.