VYPR
← All advisories
Low severity2.6NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-45154

CVE-2026-45154

Description

Nextcloud Collectives versions 2.6.0 through 4.2.x allow view-only guests to access deleted pages from the trashbin due to improper access control.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud Collectives versions 2.6.0 through 4.2.x allow view-only guests to access deleted pages from the trashbin due to improper access control.

Vulnerability

Nextcloud Collectives, an open-source content collaboration platform, contains an access control flaw affecting versions 2.6.0 through 4.2.x. The vulnerability exists when a collective page is deleted while the collective is shared with view-only permissions, allowing unauthorized access to the deleted content stored in the trashbin [2].

Exploitation

An attacker requires guest access to a collective that has been shared with view-only permissions. By navigating directly to the trashbin interface or accessing the deleted page's URI, a guest user can view content that should have been restricted to authorized users or administrators [2].

Impact

Successful exploitation allows unauthorized guests to view sensitive information contained within deleted pages that were intended to be inaccessible. This results in an information disclosure vulnerability, compromising the confidentiality of the collective's data [2].

Mitigation

This issue has been addressed in the 4.3.0 release of the Collectives app [1][2]. Users are advised to upgrade to this version immediately to resolve the vulnerability. No workarounds are available for this issue [2].

References
  1. chore: Improve handling of public page trash actions by benjaminfrueh · Pull Request #2432 · nextcloud/collectives
  2. View-only guests could see deleted Collectives pages in the trashbin

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
1a01a9e11531

chore: Improve handling of public page trash actions

https://github.com/nextcloud/collectivesBenjamin FruehApr 7, 2026via nvd-ref
commitPR #2432
1 file changed · +1 0
  • lib/Controller/PublicPageTrashController.php+1 0 modified
    @@ -136,6 +136,7 @@ private function checkEditPermissions(): void {
 	#[AnonRateLimit(limit: 10, period: 10)]
 	public function index(): DataResponse {
 		$pageInfos = $this->handleErrorResponse(function (): array {
+			$this->checkEditPermissions();
 			$owner = $this->getCollectiveShare()->getOwner();
 			$collectiveId = $this->getCollectiveShare()->getCollectiveId();
 			$pageInfos = $this->service->findAllTrash($collectiveId, $owner);

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.