CVE-2026-45285
Analyzed Analyzed - Analysis Complete
Unauthorized Public Link Creation in Nextcloud

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team’s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45285
EUVD
EUVD-2026-33709
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Impact Analysis

This vulnerability can lead to unauthorized access and control over shared data in Nextcloud folders or files. An attacker with the hidden public link can read, modify, delete, reshare, and download all data in the shared folder.

Because the folder owner is unaware of the existence of this link and cannot revoke it through the normal interface, sensitive data may be exposed or compromised without detection.

Executive Summary

This vulnerability affects Nextcloud versions 32.0.0 to before 32.0.9 and 33.0.0 to before 33.0.3. When a user shares a folder or file with a Nextcloud Team that includes an external member (someone added via email who does not have a Nextcloud account), the system automatically creates a hidden public link for that external member.

This public link is not shown in the folder's share section, so the folder owner does not know it exists. The link is sent via email to the external member and grants the same permissions as the Team’s access, including read, write, delete, reshare, and download.

An attacker who obtains or intercepts this link can access and manipulate all data in the shared folder without any further authentication. The folder owner cannot see or revoke this link through the normal sharing interface.

Mitigation Strategies

The vulnerability can be mitigated by upgrading Nextcloud Server or Enterprise Server to versions 32.0.9 or 33.0.3 or later, where the issue has been patched.

No workarounds are currently available, so applying the official patch is the recommended immediate step.

Compliance Impact

This vulnerability allows unauthorized external members to gain access to shared folders via hidden public links that are not visible to the folder owner. Such unauthorized access can lead to exposure, modification, or deletion of sensitive data without the knowledge or consent of the data owner.

Because the folder owner cannot see or revoke these links, this undermines data access controls and auditability, which are critical requirements in compliance frameworks such as GDPR and HIPAA.

Therefore, this vulnerability could result in non-compliance with data protection regulations that mandate strict control over data sharing, user access, and breach notification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45285. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart