CVE-2026-45690
Received Received - Intake
Authentication Bypass in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-02
AI Q&A
2026-06-01
EPSS Evaluated
N/A
NVD
CVE-2026-45690
EUVD
EUVD-2026-33716
Affected Vendors & Products
Showing 22 associated CPEs
Vendor Product Version / Range
nextcloud enterprise_server From 29.0.0 (inc)
nextcloud enterprise_server From 30.0.0 (inc)
nextcloud enterprise_server From 31.0.0 (inc)
nextcloud enterprise_server From 32.0.0 (inc)
nextcloud enterprise_server From 33.0.0 (inc)
nextcloud enterprise_server 29.0.16.16
nextcloud enterprise_server 30.0.17.9
nextcloud enterprise_server 31.0.14.5
nextcloud server 32.0.9
nextcloud server 33.0.3
nextcloud enterprise_server 29.0.0
nextcloud enterprise_server 30.0.0
nextcloud enterprise_server 31.0.0
nextcloud enterprise_server From 32.0.0 (inc) to 32.0.9 (inc)
nextcloud enterprise_server From 33.0.0 (inc) to 33.0.3 (inc)
nextcloud server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud server From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud enterprise_server to 33.0.3 (inc)
nextcloud enterprise_server to 32.0.9 (inc)
nextcloud enterprise_server to 31.0.14.5 (inc)
nextcloud enterprise_server to 30.0.17.9 (inc)
nextcloud enterprise_server to 29.0.16.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows attackers who know a user's password to bypass two-factor authentication (2FA) protections by replaying a temporary session token, leading to unauthorized access to authenticated endpoints.

This unauthorized access could potentially lead to data breaches or unauthorized data exposure, which may impact compliance with standards and regulations such as GDPR and HIPAA that require strong authentication and protection of personal and sensitive data.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There are no specific detection commands or methods provided in the available resources for identifying exploitation or presence of this vulnerability on your network or system.

The vulnerability involves an attacker extracting and replaying a temporary session token created before the second factor authentication is enforced. Detection would likely require monitoring for unusual HTTP Basic Authentication usage or replayed session tokens, but no explicit commands or detection techniques are documented.

The recommended action is to upgrade affected Nextcloud Server or Enterprise Server versions to the patched releases to mitigate the vulnerability.


Can you explain this vulnerability to me?

This vulnerability affects Nextcloud Server and Enterprise Server versions where two-factor authentication (2FA) is bypassed. When a user logs in with a valid password on a 2FA-enabled account, the system creates a temporary session token before requiring the second authentication factor. An attacker who knows the user's password can extract and replay this token using HTTP Basic Authentication to gain unauthorized access to protected areas without completing the 2FA challenge.


How can this vulnerability impact me? :

The vulnerability allows attackers who have obtained a user's password to bypass the two-factor authentication protection, potentially gaining unauthorized access to sensitive or authenticated endpoints. This compromises the integrity of the system by allowing unauthorized actions or data access without completing the intended security step of 2FA.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate step to mitigate this vulnerability is to upgrade the Nextcloud Server or Enterprise Server to the patched versions.

  • Upgrade Nextcloud Server to version 33.0.3 or 32.0.9.
  • Upgrade Nextcloud Enterprise Server to one of the following versions: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16.

No workarounds are available, so upgrading is the only effective mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart