CVE-2026-45267 nextcloud CVE debrief

Who should care

Organizations running Nextcloud Forms versions prior to 5.2.6, particularly those hosting multi-user instances where form data confidentiality is required. Security teams responsible for access control validation in content collaboration platforms should prioritize patching.

Technical summary

Nextcloud Forms, prior to version 5.2.6, failed to enforce proper authorization checks when handling requests to read form submissions. An authenticated attacker could exploit this flaw to access form submission data belonging to other users. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-200 (Information Exposure), with a CVSS 3.1 base score of 6.5 (Medium severity). The issue has been resolved in version 5.2.6 via a patch referenced in GitHub pull request #3269.

Defensive priority

medium

Recommended defensive actions

• Upgrade Nextcloud Forms to version 5.2.6 or later to remediate the missing authorization check.
• Review form submission access logs for unauthorized read activity by non-owning users prior to patching.
• Validate that role-based access controls for form submissions enforce ownership or explicit sharing permissions after upgrade.

Evidence notes

The CVE description states that prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. The NVD record lists the vulnerability status as Deferred. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N yields a base score of 6.5 (Medium). Weaknesses identified as CWE-200 (Information Exposure) and CWE-862 (Missing Authorization). The fix is referenced in GitHub pull request #3269 and security advisory GHSA-r4gh-f8x6-m55f. A HackerOne report (#3628817) is also associated with this disclosure.

Official resources