CVE-2026-45282
Information Disclosure in Nextcloud Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | enterprise_server | From 32.0.9 (inc) |
| nextcloud | enterprise_server | From 33.0.3 (inc) |
| nextcloud | enterprise_server | From 27.0.0 (inc) |
| nextcloud | enterprise_server | From 28.0.14.17 (inc) |
| nextcloud | enterprise_server | From 29.0.16.16 (inc) |
| nextcloud | enterprise_server | From 30.0.17.9 (inc) |
| nextcloud | enterprise_server | From 31.0.14.5 (inc) |
| nextcloud | enterprise_server | to 33.0.3 (inc) |
| nextcloud | enterprise_server | to 32.0.9 (inc) |
| nextcloud | server | From 32.0.0 (inc) to 32.0.9 (exc) |
| nextcloud | server | From 33.0.0 (inc) to 33.0.3 (exc) |
| nextcloud | enterprise_server | From 27.1.11.5 (inc) to 33.0.3 (inc) |
| nextcloud | enterprise_server | 28.0.14.17 |
| nextcloud | enterprise_server | 29.0.16.16 |
| nextcloud | enterprise_server | 30.0.17.9 |
| nextcloud | enterprise_server | 31.0.14.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to bypass password protection and download restrictions to access attachments of link shares if they know the share token and a documentId. Such unauthorized access to shared data could potentially lead to violations of data protection requirements under regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.
Because the attacker can extract attachments without proper authorization, organizations using affected versions of Nextcloud Server or Enterprise Server may face increased risk of data breaches or unauthorized disclosure, impacting compliance with confidentiality and access control provisions in these standards.
Applying the recommended patches and updates is critical to mitigate this risk and maintain compliance with these regulations.
Can you explain this vulnerability to me?
This vulnerability affects Nextcloud Server and Nextcloud Enterprise Server versions before certain patched releases. An authenticated attacker who knows a share token and a documentId they own can access attachments of link shares, bypassing password protection and download restrictions. For shared folders, the attacker must know or guess a documentId of a file inside the folder, which makes exploitation more difficult. The attacker can only extract attachments, not the shared file or folder itself.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to attachments shared via Nextcloud link shares, even if those shares are protected by passwords or download restrictions. An attacker with valid credentials and knowledge of certain tokens can extract attachments without permission, potentially exposing sensitive or confidential information. However, the attacker cannot access the entire shared file or folder, only the attachments.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is recommended to upgrade the Nextcloud Server to version 33.0.3 or 32.0.9.
For Nextcloud Enterprise Server, upgrade to one of the following patched versions: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, or 27.1.11.5.
As a workaround, you can disable the Text app to prevent exploitation of this vulnerability.