CVE-2026-45153
MEDIUMNextcloud: PIN bypass in PassCodeActivity via back button
Title source: cnaDescription
Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2w7v-5299-3hw5
X_Refsource_Misc x_refsource_misc
https://github.com/nextcloud/android/pull/16896
X_Refsource_Misc x_refsource_misc
https://hackerone.com/reports/3625210
Scores
CVSS v3
4.6
EPSS
0.0015
EPSS Percentile
4.8%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Details
CWE
CWE-287
Status
published
Products (1)
nextcloud/security-advisories
>= 33.0.0, < 33.1.0
Published
Jun 01, 2026
Tracked Since
Jun 01, 2026