CVE-2026-45283
MEDIUMNextcloud Server 32.0.0-32.0.1 and 33.0.0 - Authenticated File Lock Manipulation via DAV Requests
Title source: llmDescription
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
References (3)
Core 3
Core References
Issue Tracking
https://github.com/nextcloud/files_lock/pull/1007
Vendor Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4chh-6mhf-p4jj
Third Party Advisory
https://hackerone.com/reports/3301553#
Scores
CVSS v3
6.3
EPSS
0.0021
EPSS Percentile
11.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-287
Status
published
Products (2)
nextcloud/nextcloud_server
31.0.0 - 31.0.14.4
nextcloud/nextcloud_server
32.0.0 - 32.0.2
Published
Jun 01, 2026
Tracked Since
Jun 02, 2026