CVE-2026-45156 nextcloud CVE debrief

Who should care

Organizations running Nextcloud with User OIDC enabled for ID4me authentication, particularly multi-tenant or externally-facing instances where users may authenticate through federated identity providers.

Technical summary

The Nextcloud User OIDC application fails to verify cryptographic signatures on ID4me authority responses. An attacker who controls or compromises an ID4me authority can forge authentication responses that identify as arbitrary users, achieving complete account takeover without credentials. The vulnerability is network-exploitable with low attack complexity, requires no privileges, and needs only user interaction (redirecting to the malicious authority). Confidentiality and Integrity impacts are HIGH; Availability impact is NONE.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Nextcloud User OIDC to patched versions 3.1.0, 4.1.0, 5.1.0, 6.4.0, or 8.3.0 or later
• Verify ID4me authority configurations and restrict trusted authorities to known-good endpoints
• Review authentication logs for anomalous ID4me-based logins prior to patching
• If immediate patching is not feasible, consider disabling ID4me authentication in User OIDC settings
• Monitor for updates to the deferred NVD entry for additional technical details

Evidence notes

Vulnerability description and affected versions sourced from official CVE record and GitHub Security Advisory. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. Patch versions confirmed in advisory. HackerOne report reference indicates coordinated disclosure. NVD status is Deferred as of source capture.

Official resources