CVE-2026-45691
Analyzed Analyzed - Analysis Complete
Authentication Bypass via Pre-2FA Session Cookie in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-04
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45691
EUVD
EUVD-2026-33718
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.3 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.16.16 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17.9 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.14.5 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.9 (exc)
nextcloud nextcloud_server From 33.0.0 (inc) to 33.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing unauthorized users to bypass two-factor authentication and gain read/write access to your Nextcloud data.

Because the attacker can reuse a pre-2FA session cookie, they can access sensitive files and potentially modify or delete data.

The vulnerability requires low privileges to exploit and has a moderate severity score, with a high impact on data integrity.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the Nextcloud Server or Nextcloud Enterprise Server to a patched version.

  • Upgrade Nextcloud Server to version 33.0.3 or 32.0.9.
  • Upgrade Nextcloud Enterprise Server to one of the following versions: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16.

No workarounds are provided, so applying the update is the only effective mitigation.

Executive Summary

CVE-2026-45691 is a vulnerability in Nextcloud Server where a session cookie created after password authentication but before completing two-factor authentication (2FA) can be reused as a Bearer token.

This allows an attacker to bypass mandatory 2FA by authenticating against DAV endpoints using this pre-2FA session cookie.

As a result, the attacker can gain read and write access to data without completing the second authentication factor.

Compliance Impact

The vulnerability allows bypassing mandatory two-factor authentication, granting attackers read/write access to sensitive data via DAV endpoints. This improper authentication weakness (CWE-287) could lead to unauthorized access and potential data integrity issues.

Such unauthorized access and potential data breaches may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strong access controls and protection of sensitive data.

It is therefore critical to apply the recommended patches to mitigate this vulnerability and maintain compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart