VYPR
← All advisories
Low severity2.6NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-45155

CVE-2026-45155

Description

A missing access check in the Nextcloud Circles API allows unauthorized users to add circles to other circles if the target ID is known.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing access check in the Nextcloud Circles API allows unauthorized users to add circles to other circles if the target ID is known.

Vulnerability

Nextcloud Server versions 32.0.0 through 32.0.6 and 33.0.0 are affected by a missing access control check within the API [2]. This vulnerability resides in the circles management functionality, where the system fails to verify if a user has the appropriate permissions to add a specific circle to another circle [2].

Exploitation

An attacker must have access to a valid circle ID to exploit this flaw [2]. Because circle IDs possess a complexity of 62^15, brute-forcing is impractical; however, if an attacker obtains a circle ID through an alternative information disclosure vector, they can programmatically add that circle to another via the API [2].

Impact

Successful exploitation allows an attacker to track circle memberships by nesting circles [2]. This results in an unauthorized information disclosure regarding the structure and membership of private circles within the Nextcloud environment [2].

Mitigation

Users should upgrade to Nextcloud Server 32.0.7 or 33.0.1 [2]. Nextcloud Enterprise Server users should upgrade to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1 [2]. If an immediate upgrade is not possible, the circles application can be disabled as a temporary workaround [2].

References
  1. Private circle can be added to another circle via API

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
7d7d91c47872

Merge pull request #2401 from nextcloud/fix/add-circle-member

https://github.com/nextcloud/circlesKateMar 17, 2026via nvd-ref
commitPR #2401
1 file changed · +13 2
  • lib/Controller/LocalController.php+13 2 modified
    @@ -227,6 +227,10 @@ public function memberAdd(string $circleId, string $userId, int $type): DataResp
 				$userId = $currentUser->getUserId() . '/' . $userId;
 			}
 
+			if ($type === Member::TYPE_CIRCLE) {
+				$this->circleService->getCircle($userId);
+			}
+
 			$federatedUser = $this->federatedUserService->generateFederatedUser($userId, $type);
 			$result = $this->memberService->addMember($circleId, $federatedUser);
 
@@ -253,11 +257,18 @@ public function membersAdd(string $circleId, array $members): DataResponse {
 
 			$federatedUsers = [];
 			foreach ($members as $member) {
+				$userId = $this->get('id', $member);
+				$type = $this->getInt('type', $member);
+
+				if ($type === Member::TYPE_CIRCLE) {
+					$this->circleService->getCircle($userId);
+				}
+
 				// TODO: generate Multiple FederatedUsers using a single SQL request
 				try {
 					$federatedUsers[] = $this->federatedUserService->generateFederatedUser(
-						$this->get('id', $member),
-						$this->getInt('type', $member)
+						$userId,
+						$type,
 					);
 				} catch (MemberNotFoundException) {
 				}

Vulnerability mechanics

Root cause

"A missing access check in the API allows unauthorized users to add circles to other circles by their ID."

Attack vector

An attacker can exploit this vulnerability by providing a known circle ID to the API, which then adds that circle to another circle without verifying if the user has the necessary permissions. While the complexity of guessing circle IDs is high, an attacker who obtains a valid ID through other means can track memberships. This is triggered via the API endpoint handled by the affected controller [ref_id=1].

Affected code

The vulnerability is located in the `lib/Controller/LocalController.php` file, where the logic for adding circle members failed to perform necessary access checks [ref_id=1].

What the fix does

The patch updates the logic in the controller to ensure that adding a circle member is properly validated. Specifically, it modifies the conditional checks to ensure that the type of member being added is correctly handled and authorized [ref_id=1]. By enforcing these checks, the application prevents unauthorized circle additions that were previously possible due to the missing access control.

Preconditions

  • authThe attacker must have a valid user account on the Nextcloud instance.
  • inputThe attacker must possess the ID of the target circle they wish to add.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.