CVE-2026-45279
Analyzed Analyzed - Analysis Complete
Path Traversal in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45279
EUVD
EUVD-2026-33705
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.14 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.4 (exc)
nextcloud nextcloud_server From 28.0.0 (inc) to 28.0.14.15 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.17.12 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17.7 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.14 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45279 is a path traversal vulnerability in Nextcloud Server and Enterprise Server that occurs when the {lang} placeholder is used in the template directory configuration. This flaw allows non-admin users, under certain conditions and depending on Unix permissions, to copy arbitrary files into their own Nextcloud directory. The vulnerability arises from insufficient input sanitization of language strings, which can be exploited to manipulate file paths.

The issue was fixed by improving input sanitization in the cleanLanguage method, ensuring invalid characters are removed from language strings before processing, thus preventing path traversal or injection attacks.

Impact Analysis

This vulnerability can impact you by allowing non-admin users to copy arbitrary files into their own Nextcloud directory if they can exploit the path traversal flaw. This could lead to unauthorized access to sensitive files, potentially exposing confidential information depending on the Unix file permissions.

The CVSS score of 4.4 indicates a moderate risk, with a high impact on confidentiality but requiring high privileges and complex attack conditions to exploit.

Detection Guidance

This vulnerability involves the use of the {lang} placeholder in the template directory configuration of Nextcloud Server or Enterprise Server, which can lead to path traversal attacks by non-admin users.

To detect if your system is vulnerable, check the Nextcloud configuration files for the presence of the {lang} placeholder in the template directory setting.

You can use commands to search for this placeholder in your Nextcloud configuration directory. For example:

  • grep -r '\{lang\}' /path/to/nextcloud/config/
  • grep -r 'template_directory' /path/to/nextcloud/config/ | grep '\{lang\}'

Additionally, review user activity logs for suspicious file copy operations or unexpected file creations in user directories, which might indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade your Nextcloud Server or Enterprise Server to the patched versions where this vulnerability is fixed.

  • Upgrade Nextcloud Server to version 31.0.14 or 32.0.4 (or later).
  • Upgrade Nextcloud Enterprise Server to version 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, or 28.0.14.15 (or later).

If immediate upgrade is not possible, remove the {lang} placeholder from the template directory configuration to prevent exploitation.

Ensure that Unix file permissions are properly set to restrict unauthorized file copying.

Compliance Impact

This vulnerability allows non-admin users to copy arbitrary files into their own Nextcloud directory via a path traversal attack, potentially exposing sensitive data depending on Unix permissions.

Such unauthorized access to files could lead to confidentiality breaches, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict controls on access to personal and sensitive information.

Therefore, if exploited, this vulnerability could undermine compliance efforts by enabling unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart