CVE-2026-45267
Missing Permissions Check in Nextcloud Forms
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | nextcloud | 5.2.6 |
| nextcloud | nextcloud | to 5.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Nextcloud Forms, prior to version 5.2.6, is caused by a missing permission check that allowed users to read form submissions of other users without proper authorization.
It means that users with low privileges could access sensitive data submitted by others, violating data confidentiality.
The issue was fixed in version 5.2.6 by enforcing proper permission checks on form submissions.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a high risk to data confidentiality because unauthorized users could read form submissions of other users.
This could lead to exposure of sensitive or private information collected via forms.
Exploitation requires low privileges and no user interaction, making it easier for attackers to access data.
To mitigate the risk, users should upgrade to Nextcloud Forms version 5.2.6 or disable the Forms app until patched.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade Nextcloud Forms to version 5.2.6 or later, where the missing permission check has been patched.
As a temporary workaround, users can disable the Forms app to prevent unauthorized access to form submissions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized users to read form submissions of other users, leading to a high risk to data confidentiality.
Such unauthorized access to personal or sensitive data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and health information.
Organizations using affected versions of Nextcloud Forms prior to 5.2.6 may face increased risk of non-compliance due to this data confidentiality breach.