These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A missing authorization check in Nextcloud Forms allowed authenticated users to read form submissions belonging to other users. The vulnerability was disclosed via GitHub Security Advisories and HackerOne, with a fix released in version 5.2.6. No known exploitation in ransomware campaigns has been reported.
A low-privilege user in Nextcloud Talk (Spreed) can forcefully mute other participants' microphones during calls when no High-performance Backend is installed. The vulnerability stems from improper authorization checks (CWE-284) in the signaling path, allowing a client-side mute command to be applied to arbitrary participants rather than only the caller's own session. The CVSS 3.1 score of 3.5 (LOW) refle [truncated]
A medium-severity authorization bypass in Nextcloud Group Folders allows users with only READ and CREATE permissions to rename files within team folders, despite lacking explicit UPDATE permission. This represents an improper access control condition (CWE-284) where the rename operation is not adequately gated by the UPDATE permission check. The vulnerability affects Nextcloud versions 17.0.0 through 17.0 [truncated]
A vulnerability in Nextcloud's end-to-end encryption (E2EE) feature allowed malicious users with access to an E2EE files drop link to upload files into other E2EE folders belonging to the share owner. The issue affected multiple versions of the end_to_end_encryption app and was resolved through authorization boundary fixes.
A medium-severity information disclosure vulnerability in Nextcloud Server allows a malicious user with access to a file share to leverage the share token to access chunking upload endpoints and view temporary part files during ongoing uploads. The issue affects Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. The vulnerability stems from improper access control (CWE-284) where s [truncated]
CVE-2026-45156 is a HIGH severity (CVSS 8.1) authentication bypass vulnerability in Nextcloud's User OIDC application. The flaw stems from missing signature verification in the ID4me authentication flow, allowing a malicious ID4me authority to impersonate any user on affected Nextcloud instances. The vulnerability exists in User OIDC versions 0.3.0 through before 3.1.0, 5.0.0 through before 5.1.0, and 6.0 [truncated]
A missing access control check in Nextcloud Server's Circles API allows authenticated users with low privileges to add arbitrary circles to other circles by ID, potentially enabling membership tracking when circle IDs are obtained through other means. The vulnerability affects Nextcloud Server 32.0.0–32.0.6 and 33.0.0, with fixes available in 32.0.7 and 33.0.1. The attack complexity is high due to 62^15 p [truncated]
A low-severity access control issue in Nextcloud Collectives allowed guests with view-only access to a shared collective to retrieve deleted pages directly from the trashbin. The flaw existed from version 2.6.0 through versions prior to 4.3.0 and was addressed in version 4.3.0. The vulnerability stems from improper access control (CWE-284) where the trashbin retention mechanism did not enforce the same vi [truncated]
A medium-severity authentication bypass vulnerability in the Nextcloud Files Android application allows a local attacker with physical device access to circumvent the application PIN protection. The flaw exists in versions 33.0.0 through 33.0.x, where unlocking a locked Android device and subsequently using the system back-button enables navigation past the application's PIN screen without valid authentic [truncated]