CVE-2026-45279
Analyzed Analyzed - Analysis Complete

Path Traversal in Nextcloud Server

Vulnerability report for CVE-2026-45279, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-07-12
AI Q&A
2026-06-01
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.14 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.4 (exc)
nextcloud nextcloud_server From 28.0.0 (inc) to 28.0.14.15 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.17.12 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17.7 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.14 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45279 is a path traversal vulnerability in Nextcloud Server and Enterprise Server that occurs when the {lang} placeholder is used in the template directory configuration. This flaw allows non-admin users, under certain conditions and depending on Unix permissions, to copy arbitrary files into their own Nextcloud directory. The vulnerability arises from insufficient input sanitization of language strings, which can be exploited to manipulate file paths.

The issue was fixed by improving input sanitization in the cleanLanguage method, ensuring invalid characters are removed from language strings before processing, thus preventing path traversal or injection attacks.

Compliance Impact

This vulnerability allows non-admin users to copy arbitrary files into their own Nextcloud directory via a path traversal attack, potentially exposing sensitive data depending on Unix permissions.

Such unauthorized access to files could lead to confidentiality breaches, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict controls on access to personal and sensitive information.

Therefore, if exploited, this vulnerability could undermine compliance efforts by enabling unauthorized data access.

Impact Analysis

This vulnerability can impact you by allowing non-admin users to copy arbitrary files into their own Nextcloud directory if they can exploit the path traversal flaw. This could lead to unauthorized access to sensitive files, potentially exposing confidential information depending on the Unix file permissions.

The CVSS score of 4.4 indicates a moderate risk, with a high impact on confidentiality but requiring high privileges and complex attack conditions to exploit.

Detection Guidance

This vulnerability involves the use of the {lang} placeholder in the template directory configuration of Nextcloud Server or Enterprise Server, which can lead to path traversal attacks by non-admin users.

To detect if your system is vulnerable, check the Nextcloud configuration files for the presence of the {lang} placeholder in the template directory setting.

You can use commands to search for this placeholder in your Nextcloud configuration directory. For example:

  • grep -r '\{lang\}' /path/to/nextcloud/config/
  • grep -r 'template_directory' /path/to/nextcloud/config/ | grep '\{lang\}'

Additionally, review user activity logs for suspicious file copy operations or unexpected file creations in user directories, which might indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade your Nextcloud Server or Enterprise Server to the patched versions where this vulnerability is fixed.

  • Upgrade Nextcloud Server to version 31.0.14 or 32.0.4 (or later).
  • Upgrade Nextcloud Enterprise Server to version 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, or 28.0.14.15 (or later).

If immediate upgrade is not possible, remove the {lang} placeholder from the template directory configuration to prevent exploitation.

Ensure that Unix file permissions are properly set to restrict unauthorized file copying.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart