CVE-2026-45155 nextcloud CVE debrief

Who should care

Nextcloud Server administrators managing multi-user instances with Circles functionality enabled; organizations using Nextcloud for structured collaboration where circle membership confidentiality carries compliance or operational sensitivity; security teams responsible for access control auditing in content collaboration platforms

Technical summary

The Nextcloud Circles application provides a mechanism for user-defined groups with flexible sharing and collaboration features. In affected versions, an API endpoint for adding circles to other circles failed to validate that the requesting user had appropriate access to both the source circle being added and the destination circle receiving the addition. This authorization gap permitted any authenticated user with knowledge of a circle's unique identifier to establish membership relationships without consent or proper privileges. Circle IDs employ 15-character strings from a 62-character alphabet, yielding approximately 7.7×10^26 possible combinations, which provides substantial entropy against brute-force enumeration. However, if a circle ID were disclosed through side channels—such as shared links, log entries, client-side leakage, or social engineering—the vulnerability becomes practically exploitable. Successful exploitation reveals membership associations between circles, which may disclose organizational structure, project participation, or other metadata with confidentiality implications. The vulnerability does not permit direct data exfiltration from circle contents, account takeover, or service disruption. The fix in pull request 2401 adds access control validation to ensure the requesting principal possesses membership or administrative rights over both circles involved in the relationship operation.

Defensive priority

low

Recommended defensive actions

• Upgrade Nextcloud Server to version 32.0.7 or 33.0.1, or apply the corresponding Enterprise Server patch versions (29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1)
• Review circle membership audit logs for unauthorized additions in affected versions, particularly for circles with sensitive membership data
• Validate that API endpoints enforcing circle-to-circle relationships implement proper ownership and membership access controls
• Monitor for unusual patterns of circle ID enumeration attempts or bulk membership changes
• Apply principle of least privilege for circle administration and restrict circle visibility settings where membership confidentiality is required

Evidence notes

Vulnerability disclosed via GitHub Security Advisory GHSA-xpgv-grf9-gm7x and HackerOne report 3511998. Fix implemented in nextcloud/circles pull request 2401. CVSS 3.1 vector AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N confirms network-based attack with high complexity, low privileges required, user interaction needed, and low confidentiality impact with no integrity or availability impact. CWE-639 (Authorization Bypass Through User-Controlled Key) classified as primary weakness.

Official resources