CVE-2026-45543
Analyzed Analyzed - Analysis Complete
Unauthorized File Access in Nextcloud Forms

Publication date: 2026-06-01

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-04
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45543
EUVD
EUVD-2026-33713
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nextcloud forms From 4.3.0 (inc) to 5.2.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows removed collaborators to retain unauthorized read access to uploaded respondent files in Nextcloud Forms. This unauthorized access to potentially sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict control over access to personal and sensitive information.

Since the issue involves lingering file shares that expose respondent data to former collaborators, it poses a risk to confidentiality, a key requirement in many compliance frameworks. Organizations using affected versions of Nextcloud Forms may fail to meet regulatory obligations for data access controls and data minimization until the vulnerability is patched.

Upgrading to Nextcloud Forms version 5.2.7 or later is necessary to mitigate this risk and maintain compliance with standards that mandate protection of sensitive data from unauthorized access.

Detection Guidance

There are no specific detection commands or network/system detection methods provided in the available resources for CVE-2026-45543.

The vulnerability involves lingering file shares in Nextcloud Forms after a collaborator is removed, which allows unauthorized read access to uploaded respondent files. Detection would likely require checking for residual file shares related to removed collaborators within the Nextcloud Forms application.

Since no explicit commands or automated detection tools are mentioned, the recommended approach is to verify the Nextcloud Forms version and ensure it is updated to 5.2.7 or later, where the issue is patched.

Executive Summary

This vulnerability in Nextcloud Forms affects versions from 4.3.0 up to before 5.2.7. When a collaborator is removed from a form, the system fails to properly revoke their access to uploaded respondent files. Specifically, the file shares associated with the removed collaborator remain accessible, allowing them unauthorized read access to these files. The issue is limited to forms where the collaborator previously had results access.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of respondent-uploaded files to former collaborators who should no longer have access. Although the impact on confidentiality is considered low, it means sensitive data could be exposed to individuals who have been removed from the collaboration, potentially leading to privacy breaches or data leaks.

Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade Nextcloud Forms to version 5.2.7 or later, where the issue has been patched.

No workarounds are mentioned beyond disabling the Forms app.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart