CVE-2026-45278
Analyzed Analyzed - Analysis Complete
Open Redirect Vulnerability in Nextcloud

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45278
EUVD
EUVD-2026-33704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nextcloud user_oidc From 6.1.0 (inc) to 8.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-45278 is an Open Redirect vulnerability in the Nextcloud user_oidc login flow. It affects versions from 6.1.0 up to but not including 8.2.2. An attacker can craft malicious links that redirect users to external websites when the users attempt to log in via the OpenID Connect (OIDC) protocol. This happens because the validation of redirect URLs was insufficient, allowing absolute URLs to be used for redirection.

This vulnerability was patched in version 8.2.2 by improving the validation of redirect URLs to prevent the use of absolute URLs, thereby strengthening security in the user_oidc backend.

Impact Analysis

This vulnerability can impact users by allowing attackers to redirect them to malicious or untrusted websites during the login process via user OIDC. This could potentially lead to phishing attacks or other social engineering exploits if users trust the redirected site.

The attack requires user interaction, specifically clicking on a crafted malicious link. The severity is considered low with a CVSS score of 3.3, indicating limited impact but still a security risk.

To mitigate this risk, users should upgrade to Nextcloud user_oidc version 8.2.2 or later, where the vulnerability has been patched.

Detection Guidance

This vulnerability involves crafted links that redirect users to external websites during the user OIDC login flow in Nextcloud versions before 8.2.2. Detection would involve monitoring login attempts for unusual or unexpected redirect URLs.

Since the issue is related to URL redirection during login, you can inspect web server logs or Nextcloud logs for login requests containing suspicious redirect parameters.

Commands to help detect this might include searching logs for redirect parameters or suspicious URLs, for example:

  • grep -i 'redirect' /path/to/nextcloud/data/nextcloud.log
  • grep -Eo 'redirect_uri=[^&]+' /var/log/apache2/access.log | sort | uniq -c
  • Use network monitoring tools to capture HTTP requests during login and analyze redirect URLs for external domains.
Mitigation Strategies

The primary and recommended mitigation step is to upgrade the Nextcloud user_oidc app to version 8.2.2 or later, where the vulnerability has been patched.

No workarounds are available, so applying the official patch by updating is essential to prevent exploitation.

Additionally, educating users to be cautious about clicking on suspicious login links can help reduce risk until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart