CVE-2023-26482

CRITICAL LAB

Nextcloud Server <24.0.10 - Workflow Scope Validation Bypass to Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-26482. PoCs published by ISabbiI, Enis Maholli, arianitisufi, Armend Gashi, whotwagner, including Metasploit module exploits/unix/webapp/nextcloud_workflows_rce.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-26482, a Missing Scope Validation vulnerability in Nextcloud Server. The exploit demonstrates how an authenticated non-admin user can create a malicious workflow rule to achieve Remote Code Execution (RCE) when the 'Workflow Script' app is installed.

Description

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.

Exploits (2)

nomisec WORKING POC
by ISabbiI · poc
https://github.com/ISabbiI/PoC---CVE-2023-26482-RCE-LAB-Nextcloud

This repository contains a functional exploit for CVE-2023-26482, a Missing Scope Validation vulnerability in Nextcloud Server. The exploit demonstrates how an authenticated non-admin user can create a malicious workflow rule to achieve Remote Code Execution (RCE) when the 'Workflow Script' app is installed.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nextcloud Server < 24.0.10 or < 25.0.4
Auth required
Prerequisites: Docker and Docker Compose · Python 3 with 'requests' library · Nextcloud instance with 'Workflow Script' app installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Enis Maholli, arianitisufi, Armend Gashi, whotwagner · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb

This Metasploit module exploits CVE-2023-26482 in Nextcloud Workflows, allowing authenticated users to execute arbitrary commands via the Workflow Script app by creating a malicious workflow and triggering it through file upload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nextcloud (with Workflow Script app installed)
Auth required
Prerequisites: Valid Nextcloud credentials · Workflow Script app installed · Administrator privileges (due to workflow creation restrictions)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.0
EPSS 0.0418
EPSS Percentile 89.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull nextcloud:25.0.3

Details

CWE
CWE-78
Status published
Products (2)
nextcloud/nextcloud_server 18.0.0 - 20.0.14.12
nextcloud/nextcloud_server 24.0.0 - 24.0.10
Published Mar 30, 2023
Tracked Since Feb 18, 2026