CVE-2026-45153 nextcloud CVE debrief

Who should care

Organizations using Nextcloud Files for Android with PIN protection enabled; mobile security administrators; users storing sensitive data in Nextcloud on Android devices; security teams evaluating mobile application authentication controls.

Technical summary

The Nextcloud Files Android application (versions 33.0.0 to 33.0.x) fails to properly maintain authentication state when the Android device transitions from locked to unlocked. After a user unlocks their Android device, pressing the system back-button allows navigation backward through the activity stack, bypassing the application's PIN protection screen. This represents an authentication bypass (CWE-287) where the application does not revalidate the PIN requirement upon resumption after device unlock. The attack requires physical possession of the device and knowledge of the device unlock method, but not the Nextcloud app PIN. The fix in version 33.1.0 likely adds proper lifecycle handling to clear activity history or re-prompt for PIN authentication when the device is unlocked.

Defensive priority

medium

Recommended defensive actions

• Upgrade Nextcloud Files Android app to version 33.1.0 or later
• Enable full-device encryption and strong screen lock to reduce physical access attack surface
• Review and test application authentication flows after device lock/unlock cycles during security assessments
• Monitor for unauthorized file access in Nextcloud audit logs on devices running affected versions
• Apply mobile device management policies that enforce minimum app versions for corporate Nextcloud deployments

Evidence notes

CVE published and modified 2026-06-01. NVD status: Deferred. Vendor attribution based on reference domain candidate (HackerOne) with low confidence; product identified as Nextcloud Files Android app from advisory content.

Official resources