CVE-2026-45266
Deferred Deferred - Pending Action
Privilege Escalation in Nextcloud Calls

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45266
EUVD
EUVD-2026-33678
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nextcloud talk to 23.0.3 (exc)
nextcloud spreed *
nextcloud nextcloud to 23.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Talk allows a low-privileged user to force other users' microphones to be muted during calls. This happens due to a missing permission check in the application, but only when the High-performance Backend is not installed.

The issue affects Nextcloud Talk versions prior to 21.1.10, 22.0.11, and 23.0.3 and requires network access, low attack complexity, and user interaction.

The vulnerability has been patched in the mentioned versions, and upgrading or installing the High-performance Backend or disabling the Talk app are recommended mitigations.

Impact Analysis

The impact of this vulnerability is limited to the ability of a low-privileged user to mute other users' microphones during calls without their consent.

This could disrupt communication in calls, causing inconvenience or interruption, but it does not affect confidentiality, data integrity, or system availability.

The CVSS score of 3.5 indicates a low severity impact.

Detection Guidance

This vulnerability affects Nextcloud Talk versions prior to 21.1.10, 22.0.11, and 23.0.3 when the High-performance Backend is not installed. Detection involves verifying the version of Nextcloud Talk in use and checking whether the High-performance Backend is installed.

You can detect the vulnerability by checking the installed Nextcloud Talk version with commands such as:

  • Check the Nextcloud Talk app version via the Nextcloud web interface or by running: `occ app:list | grep spreed`
  • Verify the Nextcloud server version with: `occ status` or `occ version`
  • Check if the High-performance Backend is installed or enabled by reviewing the app list or configuration.

If the Talk app version is older than the patched versions and the High-performance Backend is not installed, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Nextcloud Talk to version 21.1.10, 22.0.11, or 23.0.3 or later, where the issue has been patched.

Alternatively, you can disable the Talk app if it is not needed or install the High-performance Backend, which prevents exploitation of this issue.

Compliance Impact

This vulnerability allows a low-privileged user to mute other users' microphones during calls without proper permission checks, but it does not impact confidentiality, integrity, or availability significantly, as indicated by its low CVSS score of 3.5.

Given the limited impact on core security properties and the nature of the issue, there is no direct information indicating that this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart