CVE-2026-45285
Description
Nextcloud versions prior to 32.0.9 and 33.0.3 create hidden public links when sharing with external team members, exposing data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud versions prior to 32.0.9 and 33.0.3 create hidden public links when sharing with external team members, exposing data.
Vulnerability
Nextcloud versions 32.0.0 to before 32.0.9 and 33.0.0 to before 33.0.3 are vulnerable to a hidden public link creation when a user shares a folder or file with a Nextcloud Team that includes an external member added via email address. This public link is not visible in the normal share interface and is sent directly to the external member via email [1].
Exploitation
An attacker needs to be an external member of a Nextcloud Team or intercept the email containing the public link. Upon receiving or intercepting this link, the attacker can access, modify, delete, reshare, and download all data within the shared folder without any further authentication [1].
Impact
An attacker who obtains the hidden public link gains the same permissions as the Team's access, including read, write, delete, reshare, and download capabilities for all data in the shared folder. The folder owner is unaware of this link's existence and cannot revoke it through the standard sharing interface, leading to potential unauthorized data modification or exfiltration [1].
Mitigation
This issue has been patched in Nextcloud versions 32.0.9 and 33.0.3. It is recommended to upgrade to these fixed versions. No workarounds are available [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
1ae07d49e98b1Merge pull request #2454 from nextcloud/fix/noid/update-share-handling
5 files changed · +64 −2
appinfo/info.xml+3 −0 modified@@ -43,6 +43,9 @@ Those groups of people can then be used by any other app for sharing purpose. <step>OCA\Circles\Migration\Migration</step> <step>OCA\Circles\Migration\SyncGroupCircles</step> </post-migration> + <live-migration> + <step>OCA\Circles\Migration\RemoveShareTokens</step> + </live-migration> </repair-steps> <commands>
lib/ConfigLexicon.php+2 −0 modified@@ -23,6 +23,7 @@ class ConfigLexicon implements ILexicon { public const USER_SINGLE_ID = 'userSingleId'; public const FEDERATED_TEAMS_ENABLED = 'federated_teams_enabled'; public const FEDERATED_TEAMS_FRONTAL = 'federated_teams_frontal'; + public const REMOVE_SHARE_TOKENS_DONE = 'remove_share_tokens_done'; public function getStrictness(): Strictness { return Strictness::IGNORE; @@ -32,6 +33,7 @@ public function getAppConfigs(): array { return [ new Entry(key: self::FEDERATED_TEAMS_ENABLED, type: ValueType::BOOL, defaultRaw: false, definition: 'disable/enable Federated Teams', lazy: true), new Entry(key: self::FEDERATED_TEAMS_FRONTAL, type: ValueType::STRING, defaultRaw: '', definition: 'domain name used to auth public request', lazy: true), + new Entry(key: self::REMOVE_SHARE_TOKENS_DONE, type: ValueType::BOOL, defaultRaw: false, definition: 'whether the remove share tokens repair step has already been executed', lazy: true), ]; }
lib/Migration/RemoveShareTokens.php+58 −0 added@@ -0,0 +1,58 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Circles\Migration; + +use OCA\Circles\ConfigLexicon; +use OCP\AppFramework\Services\IAppConfig; +use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IDBConnection; +use OCP\Migration\IOutput; +use OCP\Migration\IRepairStep; +use OCP\Share\IShare; + +/** + * Class RemoveShareTokens + * + * @package OCA\Circles\Migration + */ +class RemoveShareTokens implements IRepairStep { + + public function __construct( + private IDBConnection $dbConnection, + private readonly IAppConfig $appConfig, + ) { + } + + public function getName(): string { + return 'Remove token from shares related to circles'; + } + + public function run(IOutput $output): void { + if ($this->appConfig->getAppValueBool(ConfigLexicon::REMOVE_SHARE_TOKENS_DONE)) { + return; + } + + $qb = $this->dbConnection->getQueryBuilder(); + $qb->update('share') + ->set('token', $qb->createNamedParameter(null, IQueryBuilder::PARAM_NULL)) + ->where($qb->expr()->eq('share_type', $qb->createNamedParameter(IShare::TYPE_CIRCLE, IQueryBuilder::PARAM_INT))) + ->andWhere($qb->expr()->isNotNull('token')) + ->setMaxResults(1000); + + while (true) { + $updated = $qb->executeStatement(); + if ($updated === 0) { + break; + } + } + + $this->appConfig->setAppValueBool(ConfigLexicon::REMOVE_SHARE_TOKENS_DONE, true); + } +}
lib/Model/ShareWrapper.php+1 −1 modified@@ -154,7 +154,7 @@ public function setToken(string $token): self { } public function getToken(): string { - return $this->token; + return $this->shareToken?->getToken() ?? ''; } public function setStatus(int $status): self {
lib/ShareByCircleProvider.php+0 −1 modified@@ -142,7 +142,6 @@ public function create(IShare $share): IShare { ->add(DataProbe::INITIATOR, [DataProbe::BASED_ON]); $circle = $this->circleService->probeCircle($share->getSharedWith(), $circleProbe, $dataProbe); - $share->setToken($this->token(15)); $share->setMailSend(true); $owner = $circle->getInitiator(); $this->shareWrapperService->save($share);
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.