CVE-2026-45543
Unauthorized File Access in Nextcloud Forms
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | forms | From 4.3.0 (inc) to 5.2.7 (exc) |
| nextcloud | forms | 5.2.7 |
| nextcloud | nextcloud | From 4.3.0 (inc) to 5.2.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Nextcloud Forms affects versions from 4.3.0 up to before 5.2.7. When a collaborator is removed from a form, the system fails to properly revoke their access to uploaded respondent files. Specifically, the file shares associated with the removed collaborator remain accessible, allowing them unauthorized read access to these files. The issue is limited to forms where the collaborator previously had results access.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of respondent-uploaded files to former collaborators who should no longer have access. Although the impact on confidentiality is considered low, it means sensitive data could be exposed to individuals who have been removed from the collaboration, potentially leading to privacy breaches or data leaks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade Nextcloud Forms to version 5.2.7 or later, where the issue has been patched.
No workarounds are mentioned beyond disabling the Forms app.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows removed collaborators to retain unauthorized read access to uploaded respondent files in Nextcloud Forms. This unauthorized access to potentially sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict control over access to personal and sensitive information.
Since the issue involves lingering file shares that expose respondent data to former collaborators, it poses a risk to confidentiality, a key requirement in many compliance frameworks. Organizations using affected versions of Nextcloud Forms may fail to meet regulatory obligations for data access controls and data minimization until the vulnerability is patched.
Upgrading to Nextcloud Forms version 5.2.7 or later is necessary to mitigate this risk and maintain compliance with standards that mandate protection of sensitive data from unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided in the available resources for CVE-2026-45543.
The vulnerability involves lingering file shares in Nextcloud Forms after a collaborator is removed, which allows unauthorized read access to uploaded respondent files. Detection would likely require checking for residual file shares related to removed collaborators within the Nextcloud Forms application.
Since no explicit commands or automated detection tools are mentioned, the recommended approach is to verify the Nextcloud Forms version and ensure it is updated to 5.2.7 or later, where the issue is patched.