VYPR
← All advisories
Medium severity5.9NVD Advisory· Published Jun 1, 2026

CVE-2026-45691

CVE-2026-45691

Description

Nextcloud Server versions 32.0.0-32.0.9 and 33.0.0-33.0.3 allow pre-2FA session cookies to bypass TOTP for DAV endpoint access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud Server versions 32.0.0-32.0.9 and 33.0.0-33.0.3 allow pre-2FA session cookies to bypass TOTP for DAV endpoint access.

Vulnerability

Nextcloud Server versions from 32.0.0 up to, but not including, 32.0.9, and from 33.0.0 up to, but not including, 33.0.3, are affected by a vulnerability where a session cookie created after password authentication but before two-factor authentication (2FA) completion can be reused. This cookie can be used as a Bearer token to authenticate against DAV endpoints [2].

Exploitation

An attacker with knowledge of a user's pre-2FA session cookie could reuse this cookie as a Bearer token to authenticate against DAV endpoints. This bypasses the mandatory two-factor authentication requirement for accessing these endpoints [2].

Impact

Successful exploitation allows an attacker to gain read and write access to DAV endpoints using a user's pre-2FA session cookie. This effectively bypasses the second factor of authentication, granting unauthorized access to user data and functionality accessible via DAV [2].

Mitigation

Nextcloud Server should be upgraded to version 33.0.3 or 32.0.9. For Nextcloud Enterprise Server, upgrade to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16. No workaround is available [2].

References
  1. Bypass of second factor authentication on DAV endpoints by reusing a pre-2FA session ID

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
836546414ecd

Merge pull request #59758 from nextcloud/fix/improve-session-token-handling

https://github.com/nextcloud/serverCôme ChillietApr 21, 2026via nvd-ref
commitPR #59758
1 file changed · +20 7
  • lib/private/User/Session.php+20 7 modified
    @@ -394,6 +394,12 @@ public function logClientIn($user,
 		try {
 			$dbToken = $this->getTokenFromPassword($password);
 			$isTokenPassword = $dbToken !== null;
+			if (($dbToken instanceof PublicKeyToken)
+				&& !in_array($dbToken->getType(), [IToken::PERMANENT_TOKEN,IToken::ONETIME_TOKEN])
+			) {
+				// Refuse session tokens here, only app tokens and onetime tokens are handled
+				return false;
+			}
 		} catch (ExpiredTokenException) {
 			// Just return on an expired token no need to check further or record a failed login
 			return false;
@@ -817,32 +823,39 @@ private function validateTokenLoginName(?string $loginName, IToken $token): bool
 	 */
 	public function tryTokenLogin(IRequest $request) {
 		$authHeader = $request->getHeader('Authorization');
+		$tokenFromCookie = false;
 		if (str_starts_with($authHeader, 'Bearer ')) {
 			$token = substr($authHeader, 7);
 		} elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) {
 			// No auth header, let's try session id, but only if this is an existing
 			// session and the request has a session cookie
 			try {
 				$token = $this->session->getId();
+				$tokenFromCookie = true;
 			} catch (SessionNotAvailableException $ex) {
 				return false;
 			}
 		} else {
 			return false;
 		}
 
-		if (!$this->loginWithToken($token)) {
+		try {
+			$dbToken = $this->tokenProvider->getToken($token);
+		} catch (InvalidTokenException $e) {
+			// Can't really happen but better safe than sorry
 			return false;
 		}
-		if (!$this->validateToken($token)) {
+
+		if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::TEMPORARY_TOKEN && !$tokenFromCookie) {
+			// Session token but from Bearer header, not allowed
 			return false;
 		}
 
-		try {
-			$dbToken = $this->tokenProvider->getToken($token);
-		} catch (InvalidTokenException $e) {
-			// Can't really happen but better save than sorry
-			return true;
+		if (!$this->loginWithToken($token)) {
+			return false;
+		}
+		if (!$this->validateToken($token)) {
+			return false;
 		}
 
 		// Set the session variable so we know this is an app password

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.