CVE-2026-45264
Description
An ACL bypass in Nextcloud Team Folders allows users with READ and CREATE permissions to rename files despite lacking the required UPDATE permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An ACL bypass in Nextcloud Team Folders allows users with READ and CREATE permissions to rename files despite lacking the required UPDATE permission.
Vulnerability
Nextcloud Team Folders (also known as Groupfolders) contains an access control list (ACL) bypass vulnerability affecting versions 17.0.0 to 17.0.14, 18.0.0 to 18.1.11, 19.0.0 to 19.1.15, 20.0.0 to 20.1.10, and 21.0.0 to 21.0.3 [2]. The flaw exists in the rule checking logic, which fails to correctly validate permissions when a user attempts to rename a file within a team folder [1].
Exploitation
An attacker must have a valid user account with at least READ and CREATE permissions assigned for a specific team folder [2]. By interacting with the file system interface, the attacker can perform a rename operation on files within that folder, bypassing the intended restriction that requires UPDATE permissions for such actions [2].
Impact
Successful exploitation allows an unauthorized user to rename files within a team folder, potentially leading to data disruption or unauthorized modification of file metadata [2]. This represents a failure of the application's access control enforcement, granting users privileges beyond their assigned scope [2].
Mitigation
Users should update the Team Folders app to the patched versions: 17.0.15, 18.1.12, 19.1.16, 20.1.11, or 21.0.4 [2]. If an immediate update is not feasible, the Team Folders app can be disabled as a temporary workaround [2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
11416965ccefdMerge pull request #4361 from nextcloud/fix/acl/improve-rule-checking
1 file changed · +1 −1
lib/ACL/ACLStorageWrapper.php+1 −1 modified@@ -102,7 +102,7 @@ public function rename(string $source, string $target): bool { return ($sourceParent === $targetParent || $this->checkPermissions($sourceParent, Constants::PERMISSION_DELETE)) - && $this->checkPermissions($source, Constants::PERMISSION_UPDATE & Constants::PERMISSION_READ) + && $this->checkPermissions($source, Constants::PERMISSION_UPDATE | Constants::PERMISSION_READ) && $this->checkPermissions($target, $permissions) && parent::rename($source, $target); }
Vulnerability mechanics
Root cause
"Insufficient access control validation allows users to rename files in team folders without the required update permissions."
Attack vector
An attacker must possess READ and CREATE permissions for a specific team folder. By leveraging these existing privileges, the attacker can rename files within that folder despite lacking the necessary UPDATE permission. This vulnerability is triggered through the application's file management interface [ref_id=1].
Affected code
The issue resides within the ACL (Access Control List) rule checking logic of the groupfolders component [ref_id=1].
What the fix does
The vulnerability is addressed by improving the rule checking logic within the ACL system [ref_id=1]. The patch ensures that the application correctly verifies the user's UPDATE permission before allowing a rename operation on files within a team folder. This prevents unauthorized users from performing actions that exceed their assigned access levels.
Preconditions
- authThe user must have READ and CREATE permissions for the target team folder.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.