CVE-2026-45691

MEDIUM

Nextcloud Server 32.0.0-32.0.8 and 33.0.0-33.0.2 - Two-Factor Authentication Bypass via Pre-2FA Session Cookie Reuse

Title source: llm

Description

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

References (3)

Core 3

Core References

Vendor Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mp6x-g55j-w9jw

Issue Tracking

https://github.com/nextcloud/server/pull/59758

Third Party Advisory

https://hackerone.com/reports/3573399

Scores

CVSS v3 5.9

EPSS 0.0029

EPSS Percentile 20.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Details

CWE

CWE-287

Status published

Products (2)

nextcloud/nextcloud_server 29.0.0 - 29.0.16.16

nextcloud/nextcloud_server 32.0.0 - 32.0.9

Published Jun 01, 2026

Tracked Since Jun 02, 2026