CVE-2026-45284
Improper LDAP User Authentication After Deletion in Nextcloud
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | user_oidc | From 1.3.6 (inc) to 8.4.0 (exc) |
| nextcloud | user_oidc | 8.4.0 |
| nextcloud | nextcloud | From 1.3.6 (inc) to 8.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows deleted LDAP users to still authenticate via the User OIDC app due to improper access control. Such unauthorized access could potentially lead to unauthorized data exposure or access to sensitive information.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, improper access control and unauthorized authentication can pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that require strict access controls and protection of personal or sensitive data.
Can you explain this vulnerability to me?
This vulnerability exists in the Nextcloud User OIDC app, where an improper check in the LdapService allowed users who were deleted from LDAP to still authenticate through the User OIDC system.
Specifically, a bug in the method `LdapService::isLdapDeletedUser` caused the system to incorrectly allow deleted LDAP users to authenticate, due to a wrong condition check.
This issue affected versions starting from 1.3.6 up to before version 8.4.0 and was patched in version 8.4.0.
How can this vulnerability impact me? :
An attacker with low privileges could exploit this vulnerability to authenticate as a user who has been deleted from LDAP, potentially gaining unauthorized access.
The impact on confidentiality, integrity, and availability is limited but still present, as unauthorized users might access resources they should no longer have access to.
The vulnerability requires user interaction and has a moderate severity with a CVSS score of 4.6.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade the User OIDC app to version 8.4.0 or later, where the issue has been patched.
As a workaround, disabling the user_oidc app can also prevent exploitation of this vulnerability.