CVE-2026-45159 nextcloud CVE debrief

Who should care

Organizations running Nextcloud with end-to-end encryption enabled and files drop links configured. Security teams responsible for Nextcloud instance hardening and access control review.

Technical summary

The vulnerability exists in the Nextcloud end_to_end_encryption application versions 1.15.0 through 1.15.3, 1.16.0 through 1.16.2, 1.17.0, and 1.18.0. A malicious user in possession of an E2EE files drop link could bypass intended authorization boundaries to upload files into other E2EE folders owned by the share creator. The attacker could not read or modify existing files in those folders—only deposit new files. The root cause relates to insufficient authorization validation when processing files drop uploads in the E2EE context (CWE-639: Authorization Bypass Through User-Controlled Key). Patches in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7 enforce proper folder-level authorization checks.

Defensive priority

LOW

Recommended defensive actions

• Upgrade Nextcloud end_to_end_encryption app to version 1.15.4, 1.16.3, 1.17.1, 1.18.1, or 2.0.0-rc.7 or later
• Review E2EE files drop link sharing configurations and revoke unnecessary or untrusted links
• Audit E2EE folders for unexpected files uploaded during the affected version window
• Monitor for unauthorized file uploads in E2EE directories
• Apply principle of least privilege when granting files drop link access

Evidence notes

The CVE description and GitHub Security Advisory confirm the affected version ranges and patch versions. The HackerOne report indicates coordinated disclosure. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) supports the LOW severity rating with network attack vector, low attack complexity, low privileges required, user interaction required, and low integrity impact with no confidentiality or availability impact.

Official resources