CVE-2026-45690
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-04
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45690
EUVD
EUVD-2026-33716
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.16.16 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17.9 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.14.5 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Nextcloud Server and Enterprise Server versions where two-factor authentication (2FA) is bypassed. When a user logs in with a valid password on a 2FA-enabled account, the system creates a temporary session token before requiring the second authentication factor. An attacker who knows the user's password can extract and replay this token using HTTP Basic Authentication to gain unauthorized access to protected areas without completing the 2FA challenge.

Impact Analysis

The vulnerability allows attackers who have obtained a user's password to bypass the two-factor authentication protection, potentially gaining unauthorized access to sensitive or authenticated endpoints. This compromises the integrity of the system by allowing unauthorized actions or data access without completing the intended security step of 2FA.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the Nextcloud Server or Enterprise Server to the patched versions.

  • Upgrade Nextcloud Server to version 33.0.3 or 32.0.9.
  • Upgrade Nextcloud Enterprise Server to one of the following versions: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16.

No workarounds are available, so upgrading is the only effective mitigation.

Compliance Impact

The vulnerability allows attackers who know a user's password to bypass two-factor authentication (2FA) protections by replaying a temporary session token, leading to unauthorized access to authenticated endpoints.

This unauthorized access could potentially lead to data breaches or unauthorized data exposure, which may impact compliance with standards and regulations such as GDPR and HIPAA that require strong authentication and protection of personal and sensitive data.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Detection Guidance

There are no specific detection commands or methods provided in the available resources for identifying exploitation or presence of this vulnerability on your network or system.

The vulnerability involves an attacker extracting and replaying a temporary session token created before the second factor authentication is enforced. Detection would likely require monitoring for unusual HTTP Basic Authentication usage or replayed session tokens, but no explicit commands or detection techniques are documented.

The recommended action is to upgrade affected Nextcloud Server or Enterprise Server versions to the patched releases to mitigate the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45690. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart