CVE-2026-45266
Description
A missing permission check in Nextcloud Talk allows low-privileged users to force-mute other participants in calls when the High-performance Backend is not installed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing permission check in Nextcloud Talk allows low-privileged users to force-mute other participants in calls when the High-performance Backend is not installed.
Vulnerability
Nextcloud Talk contains an authorization flaw where a low-privileged user can manipulate the microphone state of other participants during a call. This vulnerability exists specifically when the High-performance Backend is not installed, causing the system to rely on internal signaling that lacks proper recipient room validation [1], [2]. The issue affects Nextcloud Talk versions prior to 21.1.10, 22.0.11, and 23.0.3 [2].
Exploitation
An attacker must have access to a Nextcloud instance as a low-privileged user and be present in a call where the High-performance Backend is not configured. By sending a specifically crafted request to the internal signaling mechanism, the attacker can trigger the force-mute functionality against other participants without possessing the necessary administrative or moderator permissions [2].
Impact
Successful exploitation allows an unauthorized user to disrupt communication by forcing other participants' microphones to be muted. This results in a loss of availability for the audio stream of affected users, potentially impacting the integrity of collaborative sessions [2].
Mitigation
Users should upgrade to Nextcloud Talk versions 21.1.10, 22.0.11, or 23.0.3 to resolve this vulnerability [2]. If an immediate upgrade is not possible, administrators can mitigate the risk by disabling the Talk app or by installing the Nextcloud Talk High-performance Backend [2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1ba1e3aa177ccMerge pull request #17577 from nextcloud/bugfix/noid/check-recipient-room
1 file changed · +9 −6
lib/Controller/SignalingController.php+9 −6 modified@@ -389,17 +389,20 @@ public function sendMessages(string $token, string $messages): DataResponse { } $decodedMessage['from'] = $message['sessionId']; - if ($decodedMessage['type'] === 'control') { - $room = $this->manager->getRoomForSession($this->userId, $message['sessionId']); - $participant = $this->participantService->getParticipantBySession($room, $message['sessionId']); + $room = $this->manager->getRoomForSession($this->userId, $message['sessionId']); + $participant = $this->participantService->getParticipantBySession($room, $message['sessionId']); + try { + $this->participantService->getParticipantBySession($room, $decodedMessage['to']); + } catch (ParticipantNotFoundException) { + break; + } + + if ($decodedMessage['type'] === 'control') { if (!$participant->hasModeratorPermissions(false)) { break; } } elseif ($decodedMessage['type'] === 'offer' || $decodedMessage['type'] === 'answer') { - $room = $this->manager->getRoomForSession($this->userId, $message['sessionId']); - $participant = $this->participantService->getParticipantBySession($room, $message['sessionId']); - if (!($participant->getPermissions() & Attendee::PERMISSIONS_PUBLISH_AUDIO) && $decodedMessage['roomType'] === 'video' && $this->isTryingToPublishMedia($decodedMessage['payload']['sdp'], 'audio')) { break;
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.