VYPR
← All advisories
Low severity3.3NVD Advisory· Published Jun 1, 2026

CVE-2026-45278

CVE-2026-45278

Description

Nextcloud's user_oidc module allows attackers to craft malicious links that redirect users to arbitrary websites during OIDC login.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud's user_oidc module allows attackers to craft malicious links that redirect users to arbitrary websites during OIDC login.

Vulnerability

Versions of Nextcloud from 6.1.0 up to, but not including, 8.2.2 are affected by an open redirect vulnerability in the user_oidc module. This vulnerability can be triggered when a user logs in via OIDC using a specially crafted link provided by an attacker [2].

Exploitation

An attacker can craft a malicious link that, when clicked by a victim, will redirect the victim to an arbitrary website after the victim successfully logs in via the user OIDC flow. This requires the attacker to provide a link to the victim, and the victim must interact with that link to initiate the login process [2].

Impact

Successful exploitation of this vulnerability can lead to an open redirect, potentially phishing users or directing them to malicious sites after they have authenticated through Nextcloud's OIDC login. The exact impact depends on the destination URL chosen by the attacker [2].

Mitigation

This vulnerability has been patched in Nextcloud version 8.2.2. Users are advised to upgrade to version 8.2.2 or later to remediate the issue. The fix was merged into the user_oidc repository on May 29, 2024 [1].

References
  1. Improve check on redirect URL by julien-nc · Pull Request #1273 · nextcloud/user_oidc
  2. Open Redirect in user_oidc login flow via protocol-relative URL bypass

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
1b4f689c20be

Merge pull request #1273 from nextcloud/enh/noid/improve-redirect

https://github.com/nextcloud/user_oidcJulien VeyssierDec 17, 2025via nvd-ref
commitPR #1273
1 file changed · +13 5
  • lib/Controller/LoginController.php+13 5 modified
    @@ -125,11 +125,19 @@ private function buildProtocolErrorResponse(?bool $throttle = null): TemplateRes
 	 * @return RedirectResponse
 	 */
 	private function getRedirectResponse(?string $redirectUrl = null): RedirectResponse {
-		return new RedirectResponse(
-			$redirectUrl === null
-				? $this->urlGenerator->getBaseUrl()
-				: preg_replace('/^https?:\/\/[^\/]+/', '', $redirectUrl)
-		);
+		if ($redirectUrl === null) {
+			return new RedirectResponse($this->urlGenerator->getBaseUrl());
+		}
+
+		// Remove protocol and domain name
+		$filtered = preg_replace('/^https?:\/\/[^\/]+/', '', $redirectUrl);
+
+		// Additional check: ensure the result starts with a single /
+		if (!preg_match('/^\/[^\/]/', $filtered)) {
+			return new RedirectResponse($this->urlGenerator->getBaseUrl());
+		}
+
+		return new RedirectResponse($filtered);
 	}
 
 	/**

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.