CVE-2026-45155

LOW EPSS 10.0%
Published Jun 1, 20264w ago · Modified Jun 17, 20261w ago
2.6 CVSS 3.1
Low
Find Similar
Published Jun 1, 2026 4w ago
Last Modified Jun 17, 2026 1w ago

Description

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1

CVSS Details

Base Score
2.6
Exploitability
1.2
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
10.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-639

References 3

  • github.com https://github.com/nextcloud/circles/pull/2401
  • github.com https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xpgv-grf9-gm7x
  • hackerone.com https://hackerone.com/reports/3511998

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.