CVE-2026-45278 Overview
CVE-2026-45278 is an open redirect vulnerability [CWE-601] in the Nextcloud user_oidc application, which provides OpenID Connect (OIDC) authentication for the Nextcloud content collaboration platform. Affected versions range from 6.1.0 up to but not including 8.2.2. An attacker can craft a malicious login link that redirects users to an attacker-controlled website after they initiate authentication through user_oidc. The flaw requires user interaction and typically supports phishing or credential-theft chains. Nextcloud patched the issue in user_oidc version 8.2.2.
Critical Impact
Attackers can abuse the OIDC login flow to redirect authenticated users to attacker-controlled domains, enabling phishing and credential theft against Nextcloud deployments.
Affected Products
- Nextcloud user_oidc versions 6.1.0 through 8.2.1
- Nextcloud deployments using the user_oidc app for OpenID Connect authentication
- Fixed in Nextcloud user_oidc 8.2.2
Discovery Timeline
- 2026-06-01 - CVE-2026-45278 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45278
Vulnerability Analysis
The vulnerability resides in the login redirection logic of the user_oidc app. When a user initiates authentication via an OIDC login link, the application accepts a redirect parameter that is not properly validated against an allowlist of trusted destinations. An attacker can craft a login URL that completes the OIDC flow and then sends the victim to an arbitrary external site.
Because the redirect occurs in the context of a legitimate Nextcloud login URL, victims are unlikely to inspect the final destination. Attackers commonly chain open redirects with phishing pages that mimic Nextcloud or downstream identity providers to harvest credentials, session tokens, or multi-factor codes.
The issue is classified under CWE-601: URL Redirection to Untrusted Site. Exploitation requires the victim to click the attacker-supplied link, and the scope change reflects the impact crossing from the Nextcloud origin to a third-party site.
Root Cause
The user_oidc app failed to validate the destination URL used after login completion. Redirect targets supplied in the login request were accepted without enforcing that the target host belonged to the Nextcloud instance or an approved domain list.
Attack Vector
An attacker constructs a Nextcloud login URL containing a manipulated post-login redirect parameter pointing to an attacker-controlled domain. The link is distributed via email, chat, or web content. When the victim authenticates through user_oidc, the application processes the OIDC handshake and then redirects the browser to the attacker's site, where phishing or token-theft content is served.
No authentication or special privileges are required to craft the link. The attacker only needs the victim to click and complete login. Technical details are documented in the GitHub Security Advisory GHSA-8wjr-5cg8-4w73, the user_oidc pull request #1273, and HackerOne report #3464925.
Detection Methods for CVE-2026-45278
Indicators of Compromise
- Login requests to user_oidc endpoints containing redirect parameters pointing to external, non-Nextcloud domains.
- Web server or reverse proxy logs showing HTTP 302 responses from user_oidc login flows redirecting to unfamiliar hosts.
- User reports of being sent to unexpected pages after logging into Nextcloud.
- Inbound emails or chat messages distributing Nextcloud login URLs with unusually long or encoded query strings.
Detection Strategies
- Parse Nextcloud and reverse proxy access logs for user_oidc login URLs and extract redirect parameters. Compare destination hosts against an allowlist of approved domains.
- Monitor referer headers on outbound web traffic to identify users who were redirected from Nextcloud to suspicious external sites.
- Inspect mail and messaging gateways for URLs matching the Nextcloud login path combined with external redirect targets.
Monitoring Recommendations
- Centralize Nextcloud web logs in a SIEM or data lake and alert on user_oidc redirect parameters resolving outside the trusted domain set.
- Track the deployed user_oidc app version across Nextcloud instances and alert when it falls below 8.2.2.
- Correlate post-login redirects with subsequent credential entry events on external domains to surface active phishing campaigns.
How to Mitigate CVE-2026-45278
Immediate Actions Required
- Upgrade the Nextcloud user_oidc app to version 8.2.2 or later on all instances.
- Audit recent user_oidc login flows for redirects to untrusted domains and notify affected users.
- Reset credentials and active sessions for users who may have been redirected to phishing pages.
- Communicate to users that legitimate Nextcloud logins should not route through external domains.
Patch Information
Nextcloud released the fix in user_oidc version 8.2.2. The change set is available in pull request #1273, and remediation guidance is provided in the GitHub Security Advisory GHSA-8wjr-5cg8-4w73. Administrators using the Nextcloud app store can update via the standard Apps management interface or by deploying the updated package directly.
Workarounds
- If immediate patching is not possible, restrict access to the user_oidc login endpoint to known networks via reverse proxy rules.
- Configure web application firewall (WAF) rules to block or strip external redirect parameters on user_oidc login URLs.
- Temporarily disable the user_oidc app and fall back to an alternative authentication method until the update is applied.
# Update the user_oidc app via the Nextcloud occ command-line tool
sudo -u www-data php occ app:update user_oidc
sudo -u www-data php occ app:list | grep user_oidc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

