VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-45267

CVE-2026-45267

Description

A missing permission check in Nextcloud versions prior to 5.2.6 allows authenticated users to unauthorizedly access form submissions belonging to other users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing permission check in Nextcloud versions prior to 5.2.6 allows authenticated users to unauthorizedly access form submissions belonging to other users.

Vulnerability

Nextcloud is susceptible to an information disclosure vulnerability due to a missing permission check within its forms component. The flaw exists because the application fails to verify if the requesting user has the appropriate authorization to view or edit specific form submissions, allowing access to data that should be restricted. This vulnerability affects all versions of the Nextcloud forms component prior to 5.2.6 [1].

Exploitation

An attacker must have an authenticated account on the target Nextcloud instance to exploit this vulnerability. By crafting specific requests to the forms API, an authenticated user can bypass intended access controls and retrieve form submissions belonging to other users without requiring elevated privileges or specific user interaction [1][2].

Impact

Successful exploitation of this vulnerability results in the unauthorized disclosure of sensitive information contained within form submissions. An attacker can gain access to private data submitted by other users, leading to a breach of confidentiality within the collaboration platform [1].

Mitigation

This vulnerability has been addressed in version 5.2.6 of the Nextcloud forms component, which enforces proper submission visibility based on user permissions [1][2]. Users are advised to update to this version or later to remediate the issue.

References
  1. Missing permission check for reading form submissions
  2. fix: handle submissions correctly when user wants to edit a given response by Chartman123 · Pull Request #3269 · nextcloud/forms

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
e8622c0b4e14

Merge pull request #3269 from nextcloud/fix/submissionHandling

https://github.com/nextcloud/formsChristian HartmannApr 7, 2026via nvd-ref
commitPR #3269
3 files changed · +26 2
  • lib/Controller/ApiController.php+6 0 modified
    @@ -1265,6 +1265,8 @@ public function getSubmissions(int $formId, ?string $query = null, ?int $limit =
 	#[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions/{submissionId}')]
 	public function getSubmission(int $formId, int $submissionId): DataResponse|DataDownloadResponse {
 		$form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+		$permissions = $this->formsService->getPermissions($form);
+		$canSeeAllSubmissions = in_array(Constants::PERMISSION_RESULTS, $permissions, true);
 
 		$submission = $this->submissionService->getSubmission($submissionId);
 		if ($submission === null) {
@@ -1275,6 +1277,10 @@ public function getSubmission(int $formId, int $submissionId): DataResponse|Data
 			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
 		}
 
+		if (!$canSeeAllSubmissions && $submission['userId'] !== $this->currentUser->getUID()) {
+			throw new OCSForbiddenException('User is not allowed to see submission');
+		}
+
 		// Append Display Names
 		if (substr($submission['userId'], 0, 10) === 'anon-user-') {
 			// Anonymous User
  • src/views/Submit.vue+5 2 modified
    @@ -58,7 +58,10 @@
 				</template>
 			</NcEmptyContent>
 			<NcEmptyContent
-				v-else-if="success || (!form.canSubmit && !isMaxSubmissionsReached)"
+				v-else-if="
+					success
+					|| (!form.canSubmit && !isMaxSubmissionsReached && !submissionId)
+				"
 				class="forms-emptycontent"
 				:name="
 					form.submissionMessage
@@ -75,7 +78,7 @@
 				</template>
 			</NcEmptyContent>
 			<NcEmptyContent
-				v-else-if="isMaxSubmissionsReached"
+				v-else-if="isMaxSubmissionsReached && !submissionId"
 				class="forms-emptycontent"
 				:name="t('forms', 'Limit reached')"
 				:description="
  • tests/Unit/Controller/ApiControllerTest.php+15 0 modified
    @@ -1058,6 +1058,11 @@ public function testGetSubmission_success() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)
@@ -1121,6 +1126,11 @@ public function testGetSubmission_anonymousUser() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)
@@ -1154,6 +1164,11 @@ public function testGetSubmission_userNotFound() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.