CVE-2026-45810
Description
Nextcloud Server versions 31.0.0 to 31.0.12 and 32.0.0 to 32.0.3 are vulnerable to information disclosure, allowing any authenticated user with comment access to read all comments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Server versions 31.0.0 to 31.0.12 and 32.0.0 to 32.0.3 are vulnerable to information disclosure, allowing any authenticated user with comment access to read all comments.
Vulnerability
Nextcloud Server versions from 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, contain a vulnerability where a missing check of a relation allows authenticated users with access to any file comment to read the content of all comments [1].
Exploitation
An authenticated attacker with access to any file comment can exploit this vulnerability by accessing the comment functionality. No other specific conditions or user interaction are mentioned as required for exploitation.
Impact
Successful exploitation allows an attacker to read the content of all comments across the Nextcloud instance, regardless of file ownership or access permissions. This leads to unauthorized information disclosure [1].
Mitigation
Nextcloud Server should be upgraded to version 31.0.12 or 32.0.3. For Nextcloud Enterprise Server, upgrades to specific versions like 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12, or 32.0.3 are recommended. No workarounds are available [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 31.0.0 to <31.0.12, 32.0.0 to <32.0.3
Patches
1f89243721020Merge pull request #56982 from nextcloud/bugfix/noid/check-comment-object
4 files changed · +43 −9
apps/dav/lib/Comments/EntityCollection.php+7 −2 modified@@ -77,6 +77,10 @@ public function getId() { public function getChild($name) { try { $comment = $this->commentsManager->get($name); + if ($comment->getObjectType() !== $this->name + || $comment->getObjectId() !== $this->id) { + throw new NotFound(); + } return new CommentNode( $this->commentsManager, $comment, @@ -130,8 +134,9 @@ public function findChildren($limit = 0, $offset = 0, ?\DateTime $datetime = nul */ public function childExists($name) { try { - $this->commentsManager->get($name); - return true; + $comment = $this->commentsManager->get($name); + return $comment->getObjectType() === $this->name + && $comment->getObjectId() === $this->id; } catch (NotFoundException $e) { return false; }
apps/dav/tests/unit/Comments/EntityCollectionTest.php+18 −5 modified@@ -48,14 +48,16 @@ public function testGetId(): void { } public function testGetChild(): void { + $comment = $this->createMock(IComment::class); + $comment->method('getObjectType') + ->willReturn('files'); + $comment->method('getObjectId') + ->willReturn('19'); + $this->commentsManager->expects($this->once()) ->method('get') ->with('55') - ->willReturn( - $this->getMockBuilder(IComment::class) - ->disableOriginalConstructor() - ->getMock() - ); + ->willReturn($comment); $node = $this->collection->getChild('55'); $this->assertInstanceOf(CommentNode::class, $node); @@ -107,6 +109,17 @@ public function testFindChildren(): void { } public function testChildExistsTrue(): void { + $comment = $this->createMock(IComment::class); + $comment->method('getObjectType') + ->willReturn('files'); + $comment->method('getObjectId') + ->willReturn('19'); + + $this->commentsManager->expects($this->once()) + ->method('get') + ->with('44') + ->willReturn($comment); + $this->assertTrue($this->collection->childExists('44')); }
lib/private/DB/QueryBuilder/QueryBuilder.php+8 −0 modified@@ -1094,6 +1094,10 @@ public function orHaving(...$having) { * @return $this This QueryBuilder instance. */ public function orderBy($sort, $order = null) { + if ($order !== null && !in_array(strtoupper((string)$order), ['ASC', 'DESC'], true)) { + $order = null; + } + $this->queryBuilder->orderBy( $this->helper->quoteColumnName($sort), $order @@ -1111,6 +1115,10 @@ public function orderBy($sort, $order = null) { * @return $this This QueryBuilder instance. */ public function addOrderBy($sort, $order = null) { + if ($order !== null && !in_array(strtoupper((string)$order), ['ASC', 'DESC'], true)) { + $order = null; + } + $this->queryBuilder->addOrderBy( $this->helper->quoteColumnName($sort), $order
lib/private/DB/QueryBuilder/Sharded/ShardedQueryBuilder.php+10 −2 modified@@ -280,13 +280,21 @@ public function setFirstResult($firstResult) { } public function addOrderBy($sort, $order = null) { - $this->registerOrder((string)$sort, (string)$order ?? 'ASC'); + if ($order !== null && !in_array(strtoupper((string)$order), ['ASC', 'DESC'], true)) { + $order = null; + } + + $this->registerOrder((string)$sort, (string)($order ?? 'ASC')); return parent::addOrderBy($sort, $order); } public function orderBy($sort, $order = null) { + if ($order !== null && !in_array(strtoupper((string)$order), ['ASC', 'DESC'], true)) { + $order = null; + } + $this->sortList = []; - $this->registerOrder((string)$sort, (string)$order ?? 'ASC'); + $this->registerOrder((string)$sort, (string)($order ?? 'ASC')); return parent::orderBy($sort, $order); }
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.