CVE-2026-45545

Analyzed Analyzed - Analysis Complete

SQL Injection in Nextcloud Tables App

Publication date: 2026-06-01

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description

Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-01

Last Modified

2026-06-04

Generated

2026-06-22

AI Q&A

2026-06-01

EPSS Evaluated

2026-06-20

NVD

CVE-2026-45545

EUVD

EUVD-2026-33715

Affected Vendors & Products

Vendor	Product	Version / Range
nextcloud	tables	From 0.7.0 (inc) to 0.7.7 (exc)
nextcloud	tables	From 0.8.0 (inc) to 0.8.10 (exc)
nextcloud	tables	From 0.9.0 (inc) to 0.9.8 (exc)
nextcloud	tables	From 1.0.0 (inc) to 1.0.4 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-45545 is a SQL injection vulnerability in the Nextcloud Tables app that affects versions from 0.7.0 up to but not including 0.7.7, 0.8.0 up to but not including 0.8.10, 0.9.0 up to but not including 0.9.8, and 1.0.0 up to but not including 1.0.4.

An authenticated attacker with access to the Tables app can execute arbitrary SQL queries up to 20 bytes in length through a stored injection. With carefully crafted input, the attacker can bypass this length limitation.

This allows the attacker to extract information from the database or modify data, potentially compromising the confidentiality and integrity of the system.

The vulnerability has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.

Compliance Impact

The vulnerability allows an authenticated attacker to execute arbitrary SQL queries, potentially extracting or modifying sensitive data stored in the Nextcloud Tables app database.

Such unauthorized access and modification of data can lead to breaches of confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to unauthorized data exposure or alteration.

Impact Analysis

This vulnerability can have serious impacts including unauthorized extraction and modification of database information.

An attacker with low privileges and no user interaction required can exploit this vulnerability remotely over the network.

The impact includes compromise of data confidentiality and integrity, potentially leading to data breaches or unauthorized data manipulation.

Detection Guidance

This vulnerability affects Nextcloud versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, specifically the Tables app. Detection involves verifying if your Nextcloud instance is running one of these vulnerable versions with the Tables app enabled.

Since the vulnerability requires authenticated access to the Tables app and involves SQL injection, monitoring for unusual or unauthorized SQL queries or database activity related to the Tables app could help detect exploitation attempts.

No specific detection commands are provided in the available resources. However, you can check the installed Nextcloud version and the presence of the Tables app with commands like:

Check Nextcloud version: `occ status` or `occ version`
List installed apps: `occ app:list` and verify if the Tables app is enabled

Additionally, reviewing database logs for suspicious SQL queries or using network monitoring tools to detect unusual traffic patterns related to the Tables app might help, but no explicit commands are provided.

Mitigation Strategies

The primary mitigation is to upgrade Nextcloud to a patched version where this vulnerability is fixed. The patched versions are 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0 or later.

If immediate upgrading is not possible, a recommended workaround is to disable the Tables app to prevent exploitation.

Since the vulnerability requires authenticated access, reviewing and restricting user permissions to the Tables app can also reduce risk.

Hi! I’m here to help you understand CVE-2026-45545. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-45545

SQL Injection in Nextcloud Tables App

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart