Nextcloud Server: 25 Vulnerabilities Disclosed in Single Batch
A significant batch of 25 vulnerabilities affecting Nextcloud Server and its apps were disclosed on June 1, 2026, ranging from low to high severity.
Key findings
- 25 Nextcloud vulnerabilities disclosed simultaneously on June 1, 2026.
- High severity flaws include SQL injection in the Tables app and calendar access bypass.
- Multiple vulnerabilities affect authentication, including 2FA bypass and user enumeration.
- File sharing and access control issues allow unauthorized data access and manipulation.
- Patches are available for various Nextcloud Server versions and specific apps.
On June 1, 2026, a substantial cluster of 25 vulnerabilities was disclosed for the open-source content collaboration platform, Nextcloud. These vulnerabilities, disclosed within a two-hour window, span various components of Nextcloud Server and its associated apps, with severity ratings ranging from low (CVSSv3 2.6) to high (CVSSv3 8.2).
The disclosures highlight several distinct areas of concern within the platform. A notable group of vulnerabilities relates to authentication and authorization bypasses. For instance, CVE-2026-45690 and CVE-2026-45691, both rated Medium (CVSSv3 5.9), describe an authentication bypass that could circumvent two-factor authentication (2FA) protections by reusing a pre-2FA session cookie as a Bearer token. Similarly, CVE-2026-45281, a High severity (CVSSv3 8.1) flaw, allows an authenticated attacker with knowledge of other users' principal URLs to gain full access to their calendars.
Another theme emerging from the batch is the potential for unauthorized data access and manipulation. CVE-2026-45810 (Medium, CVSSv3 6.8) involves a missing check that allows authenticated users with access to any file comment to read the content of all comments. The Tables app is implicated in multiple vulnerabilities, including CVE-2026-45722 (High, CVSSv3 7.1) and CVE-2026-45545 (High, CVSSv3 8.2), which permit limited or arbitrary SQL injection, respectively. CVE-2026-45544 (Medium, CVSSv3 4.3) in the Tables app exposes view filter criteria to users with read-only permissions.
Several vulnerabilities also touch upon file sharing and access controls. CVE-2026-45282 (Medium, CVSSv3 6.5) allows an authenticated attacker to access attachments of link shares by knowing the share token, bypassing password protection or download restrictions. CVE-2026-45157 (Medium, CVSSv3 6.3) enables attackers with access to a file share to also access chunking uploads directly, potentially revealing temporary part files. Furthermore, CVE-2026-45275 (Medium, CVSSv3 6.5) in the Approval app allows a user without sharing permissions to force the system to share a file with approvers, leading to authorization bypass and privilege escalation.
Other disclosed issues include CVE-2026-45286 (Medium, CVSSv3 4.3), which allows user enumeration via the Calendar app's attendee suggestion endpoint, and CVE-2026-45279 (Medium, CVSSv3 4.4), where non-admin users could copy arbitrary files into their own Nextcloud directory under specific template configuration conditions. Low severity issues like CVE-2026-45278 (Low, CVSSv3 3.3) involve open redirect vulnerabilities in user OIDC authentication, and CVE-2026-45155 (Low, CVSSv3 2.6) allows adding unknown circles by ID to other circles due to a missing access check.
Patching information varies across the disclosed vulnerabilities. For Nextcloud Server, versions 31.0.12, 32.0.3, and 33.0.3 are mentioned as patched versions for some of the issues. Specific apps also have their own patch levels, such as the Approval app being patched in version 2.7.2, and the Tables app receiving fixes in versions 0.9.7, 1.0.2, 0.7.7, 0.8.10, 0.9.8, and 1.0.4. Users are advised to consult the specific CVE details for precise version information and apply the relevant updates to secure their Nextcloud instances.
This large, coordinated disclosure underscores the importance of maintaining up-to-date instances of Nextcloud Server and its applications. The breadth of vulnerabilities, affecting core functionalities like authentication, file handling, and app integrations, necessitates prompt attention from administrators to mitigate potential risks.