CVE-2026-45283
Description
Nextcloud Server's files_lock app allowed authenticated users to manipulate other users' files via WebDAV, and disclose lock tokens.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Server's files_lock app allowed authenticated users to manipulate other users' files via WebDAV, and disclose lock tokens.
Vulnerability
The files_lock app in Nextcloud Server versions 32.0.0 to before 32.0.2 and 33.0.0 to before 33.0.1 improperly validated file ownership during DAV lock and unlock requests. This allowed authenticated users to lock or unlock files belonging to other users by using their absolute WebDAV paths [2].
Exploitation
An authenticated user can exploit this vulnerability by sending crafted DAV lock and unlock requests targeting the absolute WebDAV paths of files they do not own. Additionally, lock tokens can be disclosed in error responses, enabling attackers to remove locks placed by other users' client applications [2].
Impact
Successful exploitation allows an authenticated user to lock or unlock files belonging to other users, potentially disrupting collaboration or access. Furthermore, attackers can remove existing locks on files, which could lead to data corruption or unauthorized modifications. Lock tokens may also be disclosed to unauthorized callers [2].
Mitigation
Nextcloud Server should be upgraded to version 32.0.2 or 33.0.1. For Nextcloud Enterprise Server, upgrade to 31.0.14.4, 32.0.2, or 33.0.1. No workaround is available [2]. The pull request addressing this issue is available at [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: 32.0.0 to <32.0.2, 33.0.0 to <33.0.1
- Range: 32.0.0 to <32.0.2, 33.0.0 to <33.0.1
Patches
1b58deeebf1dfMerge pull request #1007 from nextcloud/fix/dav/file-from-absolute-uri
1 file changed · +8 −1
lib/Service/FileService.php+8 −1 modified@@ -108,7 +108,14 @@ public function getFileFromUri(string $uri): Node { * @throws NoUserException */ public function getFileFromAbsoluteUri(string $uri): Node { - [$root, $userId, $path] = explode('/', trim($uri, '/') . '/', 3); + $user = $this->userSession->getUser(); + if ($user === null) { + throw new SessionNotAvailableException(); + } + + $userId = $user->getUID(); + + [$root, , $path] = explode('/', trim($uri, '/') . '/', 3); if ($root !== 'files') { throw new NotFoundException(); }
Vulnerability mechanics
Root cause
"The files_lock app did not properly validate file ownership for DAV lock and unlock requests."
Attack vector
An authenticated user can exploit this by sending absolute WebDAV paths in lock and unlock requests to target files they do not own. This allows them to lock or unlock files belonging to other users. Additionally, error responses incorrectly disclose lock tokens, enabling unauthorized callers to remove existing locks [ref_id=1].
Affected code
The vulnerability resides within the files_lock app, specifically in the handling of DAV lock and unlock requests. The fix involves changes to how file ownership is verified when processing absolute URIs in these requests, as indicated by the pull request title 'Fix getFileFromAbsoluteUri' [ref_id=1].
What the fix does
The patch introduces validation for file ownership when processing DAV lock and unlock requests. This ensures that only the owner of a file can perform lock or unlock operations on it, thereby preventing unauthorized access and modification of file lock states. The advisory recommends upgrading to specific patched versions to remediate this vulnerability [patch_id=4383033].
Preconditions
- authThe attacker must be an authenticated user.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.