VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-45157

CVE-2026-45157

Description

Nextcloud Server allows users with access to a file share to view temporary chunked upload files via the share token, potentially exposing sensitive data during transfers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud Server allows users with access to a file share to view temporary chunked upload files via the share token, potentially exposing sensitive data during transfers.

Vulnerability

Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2 contain an improper access control vulnerability within the chunking upload mechanism [2]. The flaw exists because the system fails to properly restrict access to temporary part files when a user possesses a valid share token for a specific file share [2]. This allows unauthorized visibility into intermediate files created during ongoing upload processes [1].

Exploitation

An attacker requires an existing, valid share token for a file share owned by another user [2]. By leveraging this token, the attacker can directly access the chunking upload endpoint to enumerate and view temporary part files that are being generated while an upload is in progress [2]. No special administrative privileges or complex network positioning are required beyond the ability to interact with the share via the provided token.

Impact

Successful exploitation allows an attacker to gain unauthorized access to temporary data being uploaded to the platform [2]. This results in an information disclosure vulnerability, potentially exposing sensitive file contents or metadata before the upload process is completed and the final file is moved to its destination.

Mitigation

Users should upgrade to Nextcloud Server versions 32.0.9 or 33.0.3 to resolve this issue [2]. For Nextcloud Enterprise Server users, the recommended versions are 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9, or 33.0.3 [2]. There are no known workarounds available for this vulnerability [2].

References
  1. fix(dav): do not list intermediate files by susnux · Pull Request #59780 · nextcloud/server
  2. Valid share tokens allow to access tempory upload files of share owner

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
def4450a7a64

Merge pull request #59780 from nextcloud/fix/dav-chunks

https://github.com/nextcloud/serverStephan OrbaughApr 22, 2026via nvd-ref
commitPR #59780
4 files changed · +16 10
  • apps/dav/lib/Upload/ChunkingV2Plugin.php+12 1 modified
    @@ -30,6 +30,7 @@
 use OCP\Lock\ILockingProvider;
 use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\Exception\InsufficientStorage;
+use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\Exception\PreconditionFailed;
 use Sabre\DAV\ICollection;
@@ -68,14 +69,24 @@ public function __construct(ICacheFactory $cacheFactory) {
 	 * @inheritdoc
 	 */
 	public function initialize(Server $server) {
-		$server->on('afterMethod:MKCOL', [$this, 'afterMkcol']);
+		$server->on('beforeMethod:GET', $this->beforeGet(...));
 		$server->on('beforeMethod:PUT', [$this, 'beforePut']);
 		$server->on('beforeMethod:DELETE', [$this, 'beforeDelete']);
 		$server->on('beforeMove', [$this, 'beforeMove'], 90);
+		$server->on('afterMethod:MKCOL', [$this, 'afterMkcol']);
 
 		$this->server = $server;
 	}
 
+	protected function beforeGet(RequestInterface $request) {
+		$sourceNode = $this->server->tree->getNodeForPath($request->getPath());
+		if (($sourceNode instanceof FutureFile) || ($sourceNode instanceof UploadFile)) {
+			throw new MethodNotAllowed('Reading intermediate uploads is not allowed');
+		}
+
+		return true;
+	}
+
 	/**
 	 * @param string $path
 	 * @param bool $createIfNotExists
  • apps/dav/lib/Upload/RootCollection.php+1 0 modified
    @@ -26,6 +26,7 @@ public function __construct(
 		private IManager $shareManager,
 	) {
 		parent::__construct($principalBackend, $principalPrefix);
+		$this->disableListing = true;
 	}
 
 	/**
  • apps/dav/lib/Upload/UploadHome.php+2 8 modified
    @@ -14,6 +14,7 @@
 use OCP\Files\NotFoundException;
 use OCP\IUserSession;
 use Sabre\DAV\Exception\Forbidden;
+use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\ICollection;
 
@@ -62,14 +63,7 @@ public function getChild($name): UploadFolder {
 	}
 
 	public function getChildren(): array {
-		return array_map(function ($node) {
-			return new UploadFolder(
-				$node,
-				$this->cleanupService,
-				$this->getStorage(),
-				$this->uid,
-			);
-		}, $this->impl()->getChildren());
+		throw new MethodNotAllowed('Listing members of this collection is disabled');
 	}
 
 	public function childExists($name): bool {
  • build/integration/filesdrop_features/filesdrop.feature+1 1 modified
    @@ -199,7 +199,7 @@ Scenario: Files drop allow MKCOL without a nickname
     And Downloading public folder "Mallory/folder"
     Then the HTTP status code should be "405"
     And Downloading public file "Mallory/folder/a.txt"
-    Then the HTTP status code should be "405"
+    Then the HTTP status code should be "404"
 
   Scenario: Files drop requires nickname if file request is enabled
     Given user "user0" exists

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.