CVE-2026-45691
Authentication Bypass via Pre-2FA Session Cookie in Nextcloud Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | enterprise_server | From 33.0.0 (inc) |
| nextcloud | enterprise_server | From 32.0.9 (inc) |
| nextcloud | enterprise_server | 31.0.14.5 |
| nextcloud | enterprise_server | 30.0.17.9 |
| nextcloud | enterprise_server | 29.0.16.16 |
| nextcloud | server | From 32.0.0 (inc) to 32.0.9 (exc) |
| nextcloud | server | From 33.0.0 (inc) to 33.0.3 (exc) |
| nextcloud | enterprise_server | to 33.0.3 (inc) |
| nextcloud | enterprise_server | to 32.0.9 (inc) |
| nextcloud | enterprise_server | to 31.0.14.5 (inc) |
| nextcloud | enterprise_server | to 30.0.17.9 (inc) |
| nextcloud | enterprise_server | to 29.0.16.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows bypassing mandatory two-factor authentication, granting attackers read/write access to sensitive data via DAV endpoints. This improper authentication weakness (CWE-287) could lead to unauthorized access and potential data integrity issues.
Such unauthorized access and potential data breaches may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strong access controls and protection of sensitive data.
It is therefore critical to apply the recommended patches to mitigate this vulnerability and maintain compliance with these regulations.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to bypass two-factor authentication and gain read/write access to your Nextcloud data.
Because the attacker can reuse a pre-2FA session cookie, they can access sensitive files and potentially modify or delete data.
The vulnerability requires low privileges to exploit and has a moderate severity score, with a high impact on data integrity.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade the Nextcloud Server or Nextcloud Enterprise Server to a patched version.
- Upgrade Nextcloud Server to version 33.0.3 or 32.0.9.
- Upgrade Nextcloud Enterprise Server to one of the following versions: 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16.
No workarounds are provided, so applying the update is the only effective mitigation.
Can you explain this vulnerability to me?
CVE-2026-45691 is a vulnerability in Nextcloud Server where a session cookie created after password authentication but before completing two-factor authentication (2FA) can be reused as a Bearer token.
This allows an attacker to bypass mandatory 2FA by authenticating against DAV endpoints using this pre-2FA session cookie.
As a result, the attacker can gain read and write access to data without completing the second authentication factor.