CVE-2026-45283
Improper File Ownership Validation in Nextcloud Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | enterprise_server | From 32.0.2 (inc) |
| nextcloud | enterprise_server | From 33.0.1 (inc) |
| nextcloud | server | From 32.0.0 (inc) to 32.0.2 (exc) |
| nextcloud | server | From 33.0.0 (inc) to 33.0.1 (exc) |
| nextcloud | enterprise_server | to 31.0.14.4 (inc) |
| nextcloud | enterprise_server | From 32.0.2 (inc) to 33.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Nextcloud Server files_lock app in versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1. The app did not properly validate file ownership when processing DAV lock and unlock requests.
As a result, an authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths.
Additionally, lock tokens were disclosed to unauthorized callers in error responses, which allowed attackers to remove token-based locks placed by other users' client applications.
Upgrading to Nextcloud Server versions 32.0.2 or 33.0.1, or Nextcloud Enterprise Server versions 31.0.14.4, 32.0.2, or 33.0.1 is recommended to fix this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user to improperly lock or unlock files that belong to other users.
This could lead to unauthorized modification of file access states, potentially disrupting collaboration or causing denial of access to files.
Furthermore, the disclosure of lock tokens to unauthorized users could enable attackers to remove locks placed by others, further compromising file integrity and access control.
Overall, this could result in data integrity issues and unauthorized interference with other users' files.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is recommended to upgrade the Nextcloud Server to version 32.0.2 or 33.0.1.
For Nextcloud Enterprise Server, upgrade to version 31.0.14.4, 32.0.2, or 33.0.1.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Nextcloud files_lock app allows authenticated users to lock or unlock files belonging to other users and discloses lock tokens to unauthorized callers. This improper authentication and unauthorized access to other users' files could potentially lead to violations of data protection and privacy requirements found in standards like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data.
Because the vulnerability enables unauthorized manipulation and disclosure of file locks, it may undermine the integrity and confidentiality of user data, which are critical compliance aspects in regulations such as GDPR and HIPAA.
It is recommended to upgrade to the patched versions to mitigate these risks and maintain compliance.