CVE-2026-45285: CWE-862: Missing Authorization in nextcloud security-advisories
Nextcloud versions 32. 0. 0 to before 32. 0. 9 and 33. 0. 0 to before 33. 0. 3 contain a missing authorization vulnerability. When sharing folders or files with a Nextcloud Team that includes an external member, the system automatically creates a hidden public link granting full team permissions to that external member.
AI Analysis
Technical Summary
CVE-2026-45285 is a missing authorization vulnerability (CWE-862) in Nextcloud's sharing functionality. In affected versions, sharing with an external member via email causes the system to create a public link with the same permissions as the team share. This link is not displayed in the sharing interface, preventing the folder owner from detecting or revoking it. The external member receives this link by email, enabling them to access, modify, delete, reshare, and download all data in the shared folder without additional authentication. The vulnerability affects Nextcloud versions >= 32.0.0 and < 32.0.9, and >= 33.0.0 and < 33.0.3. It has been patched in versions 32.0.9 and 33.0.3.
Potential Impact
An attacker who obtains or intercepts the hidden public link can fully control the shared folder's contents, including reading, modifying, deleting, resharing, and downloading data. The folder owner cannot see or revoke this link through the normal interface, leading to unauthorized data exposure and potential data loss or manipulation. The CVSS score of 6.4 reflects a medium severity with high confidentiality and integrity impact but no availability impact.
Mitigation Recommendations
This vulnerability has been patched in Nextcloud versions 32.0.9 and 33.0.3. Users should upgrade to these or later versions to remediate the issue. Since the vendor advisory indicates the issue is fixed in these versions, no additional mitigation steps are required beyond applying the official update.
CVE-2026-45285: CWE-862: Missing Authorization in nextcloud security-advisories
Description
Nextcloud versions 32. 0. 0 to before 32. 0. 9 and 33. 0. 0 to before 33. 0. 3 contain a missing authorization vulnerability. When sharing folders or files with a Nextcloud Team that includes an external member, the system automatically creates a hidden public link granting full team permissions to that external member.
CVSS v3.1
Score 6.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45285 is a missing authorization vulnerability (CWE-862) in Nextcloud's sharing functionality. In affected versions, sharing with an external member via email causes the system to create a public link with the same permissions as the team share. This link is not displayed in the sharing interface, preventing the folder owner from detecting or revoking it. The external member receives this link by email, enabling them to access, modify, delete, reshare, and download all data in the shared folder without additional authentication. The vulnerability affects Nextcloud versions >= 32.0.0 and < 32.0.9, and >= 33.0.0 and < 33.0.3. It has been patched in versions 32.0.9 and 33.0.3.
Potential Impact
An attacker who obtains or intercepts the hidden public link can fully control the shared folder's contents, including reading, modifying, deleting, resharing, and downloading data. The folder owner cannot see or revoke this link through the normal interface, leading to unauthorized data exposure and potential data loss or manipulation. The CVSS score of 6.4 reflects a medium severity with high confidentiality and integrity impact but no availability impact.
Mitigation Recommendations
This vulnerability has been patched in Nextcloud versions 32.0.9 and 33.0.3. Users should upgrade to these or later versions to remediate the issue. Since the vendor advisory indicates the issue is fixed in these versions, no additional mitigation steps are required beyond applying the official update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T20:14:43.200Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1de306e29bf47b503a5585
Added to database: 6/1/2026, 7:52:38 PM
Last enriched: 6/1/2026, 8:05:01 PM
Last updated: 6/2/2026, 5:02:33 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.