CVE-2026-45285
Unauthorized Public Link Creation in Nextcloud
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | nextcloud | to 32.0.9 (exc) |
| nextcloud | nextcloud | to 33.0.3 (exc) |
| nextcloud | nextcloud | From 32.0.0 (inc) to 32.0.9 (exc) |
| nextcloud | nextcloud | From 33.0.0 (inc) to 33.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized external members to gain access to shared folders via hidden public links that are not visible to the folder owner. Such unauthorized access can lead to exposure, modification, or deletion of sensitive data without the knowledge or consent of the data owner.
Because the folder owner cannot see or revoke these links, this undermines data access controls and auditability, which are critical requirements in compliance frameworks such as GDPR and HIPAA.
Therefore, this vulnerability could result in non-compliance with data protection regulations that mandate strict control over data sharing, user access, and breach notification.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability can be mitigated by upgrading Nextcloud Server or Enterprise Server to versions 32.0.9 or 33.0.3 or later, where the issue has been patched.
No workarounds are currently available, so applying the official patch is the recommended immediate step.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and control over shared data in Nextcloud folders or files. An attacker with the hidden public link can read, modify, delete, reshare, and download all data in the shared folder.
Because the folder owner is unaware of the existence of this link and cannot revoke it through the normal interface, sensitive data may be exposed or compromised without detection.
Can you explain this vulnerability to me?
This vulnerability affects Nextcloud versions 32.0.0 to before 32.0.9 and 33.0.0 to before 33.0.3. When a user shares a folder or file with a Nextcloud Team that includes an external member (someone added via email who does not have a Nextcloud account), the system automatically creates a hidden public link for that external member.
This public link is not shown in the folder's share section, so the folder owner does not know it exists. The link is sent via email to the external member and grants the same permissions as the Teamβs access, including read, write, delete, reshare, and download.
An attacker who obtains or intercepts this link can access and manipulate all data in the shared folder without any further authentication. The folder owner cannot see or revoke this link through the normal sharing interface.