CVE-2026-45285

MEDIUM

Nextcloud 32.0.0-32.0.8 and 33.0.0-33.0.2 - Unauthenticated Data Access via Auto-Generated Public Link

Title source: llm

Description

Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team’s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r3xh-x86g-hw4m

Issue Tracking x_refsource_misc

https://github.com/nextcloud/circles/pull/2454

Third Party Advisory x_refsource_misc

https://hackerone.com/reports/3625932

Scores

CVSS v3 6.4

EPSS 0.0029

EPSS Percentile 20.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-862

Status published

Products (3)

nextcloud/nextcloud_server 32.0.0 - 32.0.9 (2 CPE variants)

nextcloud/security-advisories >= 32.0.0, < 32.0.9

nextcloud/security-advisories >= 33.0.0, < 33.0.3

Published Jun 01, 2026

Tracked Since Jun 02, 2026