PatchSiren cyber security CVE debrief
CVE-2026-45264 nextcloud CVE debrief
A medium-severity authorization bypass in Nextcloud Group Folders allows users with only READ and CREATE permissions to rename files within team folders, despite lacking explicit UPDATE permission. This represents an improper access control condition (CWE-284) where the rename operation is not adequately gated by the UPDATE permission check. The vulnerability affects Nextcloud versions 17.0.0 through 17.0.14, 18.0.0 through 18.1.11, 19.0.0 through 19.1.15, 20.0.0 through 20.1.10, and 21.0.0 through 21.0.3. The issue was reported via HackerOne and patched through GitHub pull request 4361 in the groupfolders repository. Patched versions are 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, with impacts limited to integrity (no confidentiality or availability impact), yielding a base score of 4.3 (Medium). The CVE was published on June 1, 2026, with a subsequent modification the same day. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- nextcloud
- Product
- security-advisories
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Nextcloud administrators managing team folders with granular permission schemes; organizations relying on strict separation of READ/CREATE and UPDATE permissions for compliance or workflow integrity; security teams monitoring for authorization bypass conditions in content collaboration platforms.
Technical summary
The vulnerability exists in the Nextcloud groupfolders application where the file rename operation does not properly validate the UPDATE permission. A user granted READ and CREATE permissions on a team folder—but explicitly denied UPDATE—can still execute rename operations on existing files. This bypasses the intended access control model, potentially allowing unauthorized modification of file organization and naming conventions without the ability to modify file contents directly. The fix in pull request 4361 adds proper permission validation for the rename operation.
Defensive priority
medium
Recommended defensive actions
- Upgrade Nextcloud Group Folders to patched versions: 17.0.15, 18.1.12, 19.1.16, 20.1.11, or 21.0.4 or later
- Review team folder permission configurations to ensure UPDATE permission is properly restricted where file integrity is critical
- Monitor access logs for unauthorized rename operations in team folders by users without UPDATE permission
- Apply principle of least privilege when assigning READ and CREATE permissions without UPDATE
- Verify patch application by checking groupfolders application version in Nextcloud admin settings
Evidence notes
The affected product is Nextcloud, specifically the groupfolders application. Vendor identification carries low confidence due to the 'Unknown Vendor' classification in source data, though multiple reference domain candidates point to HackerOne and the Nextcloud GitHub organization. The canonical source for vendor information is marked as requiring review.
Official resources
The vulnerability was disclosed through coordinated disclosure via HackerOne and Nextcloud's security advisory process. The GitHub Security Advisory GHSA-wx2x-822r-rvmf was published alongside the fix.