What is CVE-2026-45281?

CVE-2026-45281 is a high-severity vulnerability in Nextcloud Nextcloud_server, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 8.1/10. Published 2026-06-01.

How severe is CVE-2026-45281?

High severity. CVSS v3 base score is 8.1 out of 10.

Auth bypass in Nextcloud Nextcloud_server

CVE-2026-45281

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (8.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.

Affected products

Nextcloud Nextcloud_server
Nextcloud Security-advisories — versions >= 32.0.0, < 32.0.9, >= 33.0.0, < 33.0.3

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

security-advisories@github.com (x_refsource_CONFIRM, Mitigation, Vendor Advisory)
security-advisories@github.com (Patch, x_refsource_MISC, Issue Tracking)
security-advisories@github.com (Permissions Required, x_refsource_MISC)

Frequently asked questions

What is CVE-2026-45281?: CVE-2026-45281 is a high-severity vulnerability in Nextcloud Nextcloud_server, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 8.1/10. Published 2026-06-01.
How severe is CVE-2026-45281?: High severity. CVSS v3 base score is 8.1 out of 10.