CVE-2026-45266 nextcloud CVE debrief

Who should care

Nextcloud administrators running Talk/Spreed without the High-performance Backend; security teams managing self-hosted collaboration platforms; compliance officers concerned with communication integrity and unauthorized access controls.

Technical summary

The vulnerability exists in the signaling/messaging layer of Nextcloud Talk when operating without a High-performance Backend (HPB). In this configuration, the server handles signaling directly, and a missing authorization check allows an authenticated, low-privilege user to send a mute command targeting another participant's session ID. The server accepts and propagates this command, forcing the target's microphone off without their consent. The fix in pull request #17577 adds server-side validation to ensure mute commands can only affect the sender's own session, or are restricted to users with moderator privileges when targeting others.

Defensive priority

medium

Recommended defensive actions

• Upgrade Nextcloud Talk (Spreed) to versions 21.1.10, 22.0.11, or 23.0.3 or later
• If immediate patching is not feasible, evaluate whether the High-performance Backend can be deployed as a mitigating control
• Review call participant permission models and audit logs for unauthorized mute events
• Monitor for repeated mute actions from non-moderator users in call session logs

Evidence notes

The CVE description and GitHub Security Advisory confirm the affected versions, patch releases, and mute-forcing behavior. The HackerOne report and pull request #17577 provide the remediation path. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N supports the LOW severity rating.

Official resources