CVE-2026-45282
Analyzed Analyzed - Analysis Complete
Information Disclosure in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45282
EUVD
EUVD-2026-33707
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.16.16 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17.9 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.14.5 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud nextcloud_server From 28.0.0 (inc) to 28.0.14.17 (exc)
nextcloud nextcloud_server From 27.0.0 (inc) to 27.1.11.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Nextcloud Server and Nextcloud Enterprise Server versions before certain patched releases. An authenticated attacker who knows a share token and a documentId they own can access attachments of link shares, bypassing password protection and download restrictions. For shared folders, the attacker must know or guess a documentId of a file inside the folder, which makes exploitation more difficult. The attacker can only extract attachments, not the shared file or folder itself.

Impact Analysis

This vulnerability can lead to unauthorized access to attachments shared via Nextcloud link shares, even if those shares are protected by passwords or download restrictions. An attacker with valid credentials and knowledge of certain tokens can extract attachments without permission, potentially exposing sensitive or confidential information. However, the attacker cannot access the entire shared file or folder, only the attachments.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to upgrade the Nextcloud Server to version 33.0.3 or 32.0.9.

For Nextcloud Enterprise Server, upgrade to one of the following patched versions: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, or 27.1.11.5.

As a workaround, you can disable the Text app to prevent exploitation of this vulnerability.

Compliance Impact

This vulnerability allows an authenticated attacker to bypass password protection and download restrictions to access attachments of link shares if they know the share token and a documentId. Such unauthorized access to shared data could potentially lead to violations of data protection requirements under regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

Because the attacker can extract attachments without proper authorization, organizations using affected versions of Nextcloud Server or Enterprise Server may face increased risk of data breaches or unauthorized disclosure, impacting compliance with confidentiality and access control provisions in these standards.

Applying the recommended patches and updates is critical to mitigate this risk and maintain compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart