CVE-2026-45266
Privilege Escalation in Nextcloud Calls
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | talk | to 23.0.3 (exc) |
| nextcloud | spreed | * |
| nextcloud | nextcloud | to 23.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Nextcloud Talk allows a low-privileged user to force other users' microphones to be muted during calls. This happens due to a missing permission check in the application, but only when the High-performance Backend is not installed.
The issue affects Nextcloud Talk versions prior to 21.1.10, 22.0.11, and 23.0.3 and requires network access, low attack complexity, and user interaction.
The vulnerability has been patched in the mentioned versions, and upgrading or installing the High-performance Backend or disabling the Talk app are recommended mitigations.
How can this vulnerability impact me? :
The impact of this vulnerability is limited to the ability of a low-privileged user to mute other users' microphones during calls without their consent.
This could disrupt communication in calls, causing inconvenience or interruption, but it does not affect confidentiality, data integrity, or system availability.
The CVSS score of 3.5 indicates a low severity impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Nextcloud Talk versions prior to 21.1.10, 22.0.11, and 23.0.3 when the High-performance Backend is not installed. Detection involves verifying the version of Nextcloud Talk in use and checking whether the High-performance Backend is installed.
You can detect the vulnerability by checking the installed Nextcloud Talk version with commands such as:
- Check the Nextcloud Talk app version via the Nextcloud web interface or by running: `occ app:list | grep spreed`
- Verify the Nextcloud server version with: `occ status` or `occ version`
- Check if the High-performance Backend is installed or enabled by reviewing the app list or configuration.
If the Talk app version is older than the patched versions and the High-performance Backend is not installed, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade Nextcloud Talk to version 21.1.10, 22.0.11, or 23.0.3 or later, where the issue has been patched.
Alternatively, you can disable the Talk app if it is not needed or install the High-performance Backend, which prevents exploitation of this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a low-privileged user to mute other users' microphones during calls without proper permission checks, but it does not impact confidentiality, integrity, or availability significantly, as indicated by its low CVSS score of 3.5.
Given the limited impact on core security properties and the nature of the issue, there is no direct information indicating that this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.