CVE-2026-45690

MEDIUM

Nextcloud Server 32.0.0-32.0.8 and 33.0.0-33.0.2 - Authentication Bypass via Session Token Replay

Title source: llm

Description

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jgcj-v42r-9922

Issue Tracking x_refsource_misc

https://github.com/nextcloud/server/pull/59758

Third Party Advisory x_refsource_misc

https://hackerone.com/reports/3639301

Scores

CVSS v3 5.9

EPSS 0.0029

EPSS Percentile 20.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (4)

nextcloud/nextcloud_server 29.0.0 - 29.0.16.16

nextcloud/nextcloud_server 32.0.0 - 32.0.9

nextcloud/security-advisories >= 32.0.0, < 32.0.9

nextcloud/security-advisories >= 33.0.0, < 33.0.3

Published Jun 01, 2026

Tracked Since Jun 02, 2026