VYPR
← All advisories
Medium severity4.6NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-45153

CVE-2026-45153

Description

A PIN bypass vulnerability in the Nextcloud Files app for Android allows unauthorized access to the application by using the back button after unlocking the device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A PIN bypass vulnerability in the Nextcloud Files app for Android allows unauthorized access to the application by using the back button after unlocking the device.

Vulnerability

The vulnerability exists in the PassCodeActivity component of the Nextcloud Files app for Android, affecting versions 33.0.0 through 33.0.x prior to 33.1.0 [2]. The flaw occurs because the application fails to properly enforce the PIN lock screen state when the user navigates back from the unlocked device state, allowing the application to be accessed without re-authentication [2].

Exploitation

An attacker must have physical access to a locked Android device that has the Nextcloud Files app installed and configured with a PIN. The exploitation sequence involves the user unlocking the physical device, followed by the attacker using the device's back-button functionality to bypass the application's PIN entry screen and gain access to the app's contents [2].

Impact

Successful exploitation allows an unauthorized user to bypass the application's PIN protection, resulting in a loss of confidentiality regarding the data stored within the Nextcloud Files app. The attacker gains access to the application's interface and potentially the sensitive files managed by the user, effectively circumventing the intended security controls [2].

Mitigation

This vulnerability has been addressed in Nextcloud Files for Android version 33.1.0 [2]. Users are advised to update their application to the latest version to ensure the PIN bypass is resolved [1].

References
  1. refactor by alperozturk96 · Pull Request #16896 · nextcloud/android
  2. PIN bypass in PassCodeActivity via back button

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
0a06757693cc

Merge pull request #16896 from nextcloud/refactor-2

https://github.com/nextcloud/androidAlper ÖztürkApr 22, 2026via nvd-ref
commitPR #16896
1 file changed · +15 0
  • app/src/main/java/com/owncloud/android/ui/activity/PassCodeActivity.kt+15 0 modified
    @@ -36,6 +36,7 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
 import javax.inject.Inject
+import androidx.activity.OnBackPressedCallback
 
 @Suppress("TooManyFunctions", "MagicNumber")
 class PassCodeActivity :
@@ -90,6 +91,20 @@ class PassCodeActivity :
         setSoftInputMode()
         setupUI(savedInstanceState)
         setTextListeners()
+        handleOnBackPressed()
+    }
+
+    private fun handleOnBackPressed() {
+        onBackPressedDispatcher.addCallback(
+            this,
+            object : OnBackPressedCallback(true) {
+                override fun handleOnBackPressed() {
+                    if (intent.action == ACTION_CHECK) return
+                    isEnabled = false
+                    onBackPressedDispatcher.onBackPressed()
+                }
+            }
+        )
     }
 
     private fun applyTint() {

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.