CVE-2026-45279
Path Traversal in Nextcloud Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | enterprise_server | 30.0.17.7 |
| nextcloud | enterprise_server | 29.0.17.12 |
| nextcloud | enterprise_server | 28.0.14.15 |
| nextcloud | enterprise_server | to 30.0.17.7 (inc) |
| nextcloud | enterprise_server | to 29.0.17.12 (inc) |
| nextcloud | enterprise_server | to 28.0.14.15 (inc) |
| nextcloud | server | From 31.0.0 (inc) to 31.0.14 (exc) |
| nextcloud | server | From 32.0.0 (inc) to 32.0.4 (exc) |
| nextcloud | enterprise_server | From 31.0.0 (inc) to 31.0.14 (exc) |
| nextcloud | enterprise_server | From 32.0.0 (inc) to 32.0.4 (exc) |
| nextcloud | enterprise_server | From 30.0.17.7 (inc) |
| nextcloud | enterprise_server | From 29.0.17.12 (inc) |
| nextcloud | enterprise_server | From 28.0.14.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45279 is a path traversal vulnerability in Nextcloud Server and Enterprise Server that occurs when the {lang} placeholder is used in the template directory configuration. This flaw allows non-admin users, under certain conditions and depending on Unix permissions, to copy arbitrary files into their own Nextcloud directory. The vulnerability arises from insufficient input sanitization of language strings, which can be exploited to manipulate file paths.
The issue was fixed by improving input sanitization in the cleanLanguage method, ensuring invalid characters are removed from language strings before processing, thus preventing path traversal or injection attacks.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing non-admin users to copy arbitrary files into their own Nextcloud directory if they can exploit the path traversal flaw. This could lead to unauthorized access to sensitive files, potentially exposing confidential information depending on the Unix file permissions.
The CVSS score of 4.4 indicates a moderate risk, with a high impact on confidentiality but requiring high privileges and complex attack conditions to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the use of the {lang} placeholder in the template directory configuration of Nextcloud Server or Enterprise Server, which can lead to path traversal attacks by non-admin users.
To detect if your system is vulnerable, check the Nextcloud configuration files for the presence of the {lang} placeholder in the template directory setting.
You can use commands to search for this placeholder in your Nextcloud configuration directory. For example:
- grep -r '\{lang\}' /path/to/nextcloud/config/
- grep -r 'template_directory' /path/to/nextcloud/config/ | grep '\{lang\}'
Additionally, review user activity logs for suspicious file copy operations or unexpected file creations in user directories, which might indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade your Nextcloud Server or Enterprise Server to the patched versions where this vulnerability is fixed.
- Upgrade Nextcloud Server to version 31.0.14 or 32.0.4 (or later).
- Upgrade Nextcloud Enterprise Server to version 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, or 28.0.14.15 (or later).
If immediate upgrade is not possible, remove the {lang} placeholder from the template directory configuration to prevent exploitation.
Ensure that Unix file permissions are properly set to restrict unauthorized file copying.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows non-admin users to copy arbitrary files into their own Nextcloud directory via a path traversal attack, potentially exposing sensitive data depending on Unix permissions.
Such unauthorized access to files could lead to confidentiality breaches, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict controls on access to personal and sensitive information.
Therefore, if exploited, this vulnerability could undermine compliance efforts by enabling unauthorized data access.