CVE-2026-45810
Analyzed Analyzed - Analysis Complete
Information Disclosure in Nextcloud Server

Publication date: 2026-06-01

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-04
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45810
EUVD
EUVD-2026-33720
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.12 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.3 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.12 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.3 (exc)
nextcloud nextcloud_server From 28.0.0 (inc) to 28.0.14.13 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.16.10 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17.5 (exc)
nextcloud nextcloud_server From 21.0.0 (inc) to 21.0.9.20 (exc)
nextcloud nextcloud_server From 22.0.0 (inc) to 22.2.10.35 (exc)
nextcloud nextcloud_server From 23.0.0 (inc) to 23.0.12.31 (exc)
nextcloud nextcloud_server From 24.0.0 (inc) to 24.0.12.30 (exc)
nextcloud nextcloud_server From 25.0.0 (inc) to 25.0.13.25 (exc)
nextcloud nextcloud_server From 26.0.0 (inc) to 26.0.13.22 (exc)
nextcloud nextcloud_server From 27.0.0 (inc) to 27.1.11.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Server involves a missing authorization check in the handling of file comments. Authenticated users who have access to any file comment could exploit this flaw to read the content of comments on all files, even those they should not have permission to access.

Specifically, the issue arises from a missing check in PROPFIND requests related to comment objects, allowing unauthorized reading of comments across files. This is classified as an authorization bypass vulnerability (CWE-639).

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information contained within file comments. An authenticated user with access to any comment could read comments on files they are not authorized to access, potentially exposing confidential or private information.

This could compromise data confidentiality and privacy within the Nextcloud environment, increasing the risk of information leakage.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to upgrade your Nextcloud Server to version 31.0.12 or 32.0.3.

For Nextcloud Enterprise Server, upgrade to one of the following patched versions: 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12, or 32.0.3.

No workarounds are provided, so upgrading to the fixed versions is the immediate and effective step to prevent unauthorized access to comment data.

Compliance Impact

This vulnerability allows authenticated users with access to any file comment to read the content of all comments, including those they should not have permission to access.

Such unauthorized access to potentially sensitive comment data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Therefore, if exploited, this vulnerability may compromise compliance with these standards by enabling unauthorized disclosure of protected information.

It is recommended to upgrade to the patched versions to mitigate this risk and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart