CVE-2026-45266

LOW

Nextcloud: Unauthorized force-mute from missing permission check when using internal signaling

Title source: cna

Description

Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x75r-65hm-cw35

X_Refsource_Misc x_refsource_misc

https://github.com/nextcloud/spreed/pull/17577

X_Refsource_Misc x_refsource_misc

https://hackerone.com/reports/3636758

Scores

CVSS v3 3.5

EPSS 0.0020

EPSS Percentile 10.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-284

Status published

Products (3)

nextcloud/security-advisories < 21.1.10

nextcloud/security-advisories < 22.0.11

nextcloud/security-advisories < 23.0.3

Published Jun 01, 2026

Tracked Since Jun 01, 2026