Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2 contain an improper access control vulnerability (CWE-284) identified as CVE-2026-45282. This vulnerability allows an authenticated attacker who knows the share token of a link share to access attachments associated with that share, circumventing password protection and download restrictions. The attacker requires knowledge of a documentId they own for directly shared files or must guess a documentId within a shared folder to exploit the vulnerability. The attacker cannot access the shared file or folder itself, only the attachments. The vulnerability has a CVSS 3.1 base score of 6.5 (medium severity) with network attack vector, low attack complexity, and no user interaction required. Nextcloud recommends upgrading to fixed versions 33.0.3 or 32.0.9 for the Server and specified versions for the Enterprise Server to remediate this issue.

An authenticated attacker with knowledge of a share token can bypass password protection and download restrictions to access attachments of link shares. This compromises confidentiality of attachments but does not allow access to the shared files or folders themselves. The impact is limited to attachment exposure and requires authentication and knowledge or guessing of documentIds. There are no known exploits in the wild at this time.

Nextcloud recommends upgrading affected Server versions to 33.0.3 or 32.0.9 and Enterprise Server versions to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, or 27.1.11.5. No official patch or temporary workaround details are provided beyond upgrading. Patch status is not explicitly confirmed in the advisory, but the upgrade recommendation indicates that fixed versions are available. Users should apply these updates to remediate the vulnerability.