CVE-2026-45154 nextcloud CVE debrief

Who should care

Organizations running Nextcloud Collectives versions 2.6.0 to before 4.3.0 with view-only shared collectives containing sensitive information that may be deleted but should remain inaccessible to guests.

Technical summary

The Nextcloud Collectives application, versions 2.6.0 through before 4.3.0, fails to enforce view-only access restrictions on deleted pages stored in the trashbin. When a collective is shared with view-only permissions, guest users who possess access to that collective can directly access deleted pages from the trashbin, circumventing the intended access control boundary. The issue requires network access, low privileges, and user interaction, with high attack complexity. No integrity or availability impact occurs; only low confidentiality impact is possible. The root cause is improper access control (CWE-284) in the trashbin retrieval logic. Remediation is available in version 4.3.0.

Defensive priority

low

Recommended defensive actions

• Upgrade Nextcloud Collectives to version 4.3.0 or later to remediate this access control flaw.
• Verify that collective sharing permissions are appropriately restricted and audit trashbin access patterns for sensitive collectives.
• Review HackerOne report and GitHub security advisory for additional technical context on the fix.

Evidence notes

The CVE description and NVD source data confirm the affected version range (2.6.0 to before 4.3.0) and the patch version (4.3.0). The CVSS score of 2.6 with LOW severity reflects the high attack complexity and required user interaction. The weakness is classified as CWE-284 (Improper Access Control). The vendor attribution to Nextcloud is supported by GitHub repository references (nextcloud/collectives, nextcloud/security-advisories) and the HackerOne report. The vendor field shows 'Unknown Vendor' with low confidence and needsReview flag due to automated domain inference from HackerOne reference; manual review should update to Nextcloud.

Official resources