CVE-2026-45690

Published: Giu 01, 2026 Last Modified: Giu 01, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,9

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: high

Availability: none

Description

AI Translation Available

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

287

Improper Authentication

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability Access Control

Potential Impacts:

Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: Not Technology-Specific, Web Based, ICS/OT

Likelihood of Exploit: High

View CWE Details

https://github.com/nextcloud/security-advisories/security/a…

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jgcj-…

https://github.com/nextcloud/server/pull/59758

https://hackerone.com/reports/3639301

CVE-2026-45690

Description

Improper Authentication

Common Consequences

Applicable Platforms

Iscriviti alla newsletter