CVE-2026-45691
MEDIUM EPSS 20.7%
Published Jun 1, 20264w ago · Modified Jun 17, 20261w ago
5.9 CVSS 3.1
Published Jun 1, 2026 4w ago
Last Modified Jun 17, 2026 1w ago
Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
20.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-287 Improper Authentication Authentication
Affected Products 7
| Vendor | Product | Version | Range |
|---|---|---|---|
| nextcloud | nextcloud_server | * | ≥32.0.0 – <32.0.9 |
| nextcloud | nextcloud_server | * | ≥33.0.0 – <33.0.3 |
| nextcloud | nextcloud_server | * | ≥29.0.0 – <29.0.16.16 |
| nextcloud | nextcloud_server | * | ≥30.0.0 – <30.0.17.9 |
| nextcloud | nextcloud_server | * | ≥31.0.0 – <31.0.14.5 |
| nextcloud | nextcloud_server | * | ≥32.0.0 – <32.0.9 |
| nextcloud | nextcloud_server | * | ≥33.0.0 – <33.0.3 |
References 3
- github.com https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mp6x-g55j-w9jw
- github.com https://github.com/nextcloud/server/pull/59758
- hackerone.com https://hackerone.com/reports/3573399
Remediation
- github.com https://github.com/nextcloud/server/pull/59758