CVE-2026-45284: CWE-284: Improper Access Control in nextcloud security-advisories
Nextcloud versions from 1. 3. 6 up to but not including 8. 4. 0 contain an improper access control vulnerability where users provisioned via LDAP could still authenticate through user OIDC after being deleted. This issue has been addressed and patched in Nextcloud version 8. 4. 0. The vulnerability has a medium severity rating with a CVSS score of 4. 6.
AI Analysis
Technical Summary
CVE-2026-45284 describes an improper access control vulnerability (CWE-284) in Nextcloud's security-advisories component affecting versions 1.3.6 through 8.3.x. The flaw allowed users who were provisioned via LDAP and subsequently deleted to continue authenticating via user OIDC due to insufficient checks. This could lead to unauthorized access persistence. The issue was fixed in Nextcloud version 8.4.0.
Potential Impact
The vulnerability allows deleted LDAP-provisioned users to still authenticate via user OIDC, potentially enabling unauthorized access to the Nextcloud platform. The CVSS score of 4.6 indicates a medium impact affecting confidentiality, integrity, and availability to a limited extent.
Mitigation Recommendations
Upgrade Nextcloud to version 8.4.0 or later, where this improper access control vulnerability has been patched. Since the vendor advisory confirms the fix in version 8.4.0, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory.
CVE-2026-45284: CWE-284: Improper Access Control in nextcloud security-advisories
Description
Nextcloud versions from 1. 3. 6 up to but not including 8. 4. 0 contain an improper access control vulnerability where users provisioned via LDAP could still authenticate through user OIDC after being deleted. This issue has been addressed and patched in Nextcloud version 8. 4. 0. The vulnerability has a medium severity rating with a CVSS score of 4. 6.
CVSS v3.1
Score 4.6medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45284 describes an improper access control vulnerability (CWE-284) in Nextcloud's security-advisories component affecting versions 1.3.6 through 8.3.x. The flaw allowed users who were provisioned via LDAP and subsequently deleted to continue authenticating via user OIDC due to insufficient checks. This could lead to unauthorized access persistence. The issue was fixed in Nextcloud version 8.4.0.
Potential Impact
The vulnerability allows deleted LDAP-provisioned users to still authenticate via user OIDC, potentially enabling unauthorized access to the Nextcloud platform. The CVSS score of 4.6 indicates a medium impact affecting confidentiality, integrity, and availability to a limited extent.
Mitigation Recommendations
Upgrade Nextcloud to version 8.4.0 or later, where this improper access control vulnerability has been patched. Since the vendor advisory confirms the fix in version 8.4.0, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T18:41:13.158Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1de306e29bf47b503a5580
Added to database: 6/1/2026, 7:52:38 PM
Last enriched: 6/1/2026, 8:05:05 PM
Last updated: 6/2/2026, 4:57:42 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.