CVE-2026-45283
Analyzed Analyzed - Analysis Complete
Improper File Ownership Validation in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45283
EUVD
EUVD-2026-33708
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.2 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.1 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.14.4 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.2 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Nextcloud Server files_lock app in versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1. The app did not properly validate file ownership when processing DAV lock and unlock requests.

As a result, an authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths.

Additionally, lock tokens were disclosed to unauthorized callers in error responses, which allowed attackers to remove token-based locks placed by other users' client applications.

Upgrading to Nextcloud Server versions 32.0.2 or 33.0.1, or Nextcloud Enterprise Server versions 31.0.14.4, 32.0.2, or 33.0.1 is recommended to fix this issue.

Compliance Impact

The vulnerability in the Nextcloud files_lock app allows authenticated users to lock or unlock files belonging to other users and discloses lock tokens to unauthorized callers. This improper authentication and unauthorized access to other users' files could potentially lead to violations of data protection and privacy requirements found in standards like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data.

Because the vulnerability enables unauthorized manipulation and disclosure of file locks, it may undermine the integrity and confidentiality of user data, which are critical compliance aspects in regulations such as GDPR and HIPAA.

It is recommended to upgrade to the patched versions to mitigate these risks and maintain compliance.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user to improperly lock or unlock files that belong to other users.

This could lead to unauthorized modification of file access states, potentially disrupting collaboration or causing denial of access to files.

Furthermore, the disclosure of lock tokens to unauthorized users could enable attackers to remove locks placed by others, further compromising file integrity and access control.

Overall, this could result in data integrity issues and unauthorized interference with other users' files.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to upgrade the Nextcloud Server to version 32.0.2 or 33.0.1.

For Nextcloud Enterprise Server, upgrade to version 31.0.14.4, 32.0.2, or 33.0.1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45283. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart