Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45278

CVE-2026-45278: Nextcloud User OIDC XSS Vulnerability

CVE-2026-45278 is a cross-site scripting vulnerability in Nextcloud User OIDC allowing attackers to redirect users to malicious sites through crafted login links. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-45278 Overview

CVE-2026-45278 is an open redirect vulnerability [CWE-601] in the Nextcloud user_oidc application, which provides OpenID Connect (OIDC) authentication for the Nextcloud content collaboration platform. Affected versions range from 6.1.0 up to but not including 8.2.2. An attacker can craft a malicious login link that redirects users to an attacker-controlled website after they initiate authentication through user_oidc. The flaw requires user interaction and typically supports phishing or credential-theft chains. Nextcloud patched the issue in user_oidc version 8.2.2.

Critical Impact

Attackers can abuse the OIDC login flow to redirect authenticated users to attacker-controlled domains, enabling phishing and credential theft against Nextcloud deployments.

Affected Products

  • Nextcloud user_oidc versions 6.1.0 through 8.2.1
  • Nextcloud deployments using the user_oidc app for OpenID Connect authentication
  • Fixed in Nextcloud user_oidc 8.2.2

Discovery Timeline

  • 2026-06-01 - CVE-2026-45278 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-45278

Vulnerability Analysis

The vulnerability resides in the login redirection logic of the user_oidc app. When a user initiates authentication via an OIDC login link, the application accepts a redirect parameter that is not properly validated against an allowlist of trusted destinations. An attacker can craft a login URL that completes the OIDC flow and then sends the victim to an arbitrary external site.

Because the redirect occurs in the context of a legitimate Nextcloud login URL, victims are unlikely to inspect the final destination. Attackers commonly chain open redirects with phishing pages that mimic Nextcloud or downstream identity providers to harvest credentials, session tokens, or multi-factor codes.

The issue is classified under CWE-601: URL Redirection to Untrusted Site. Exploitation requires the victim to click the attacker-supplied link, and the scope change reflects the impact crossing from the Nextcloud origin to a third-party site.

Root Cause

The user_oidc app failed to validate the destination URL used after login completion. Redirect targets supplied in the login request were accepted without enforcing that the target host belonged to the Nextcloud instance or an approved domain list.

Attack Vector

An attacker constructs a Nextcloud login URL containing a manipulated post-login redirect parameter pointing to an attacker-controlled domain. The link is distributed via email, chat, or web content. When the victim authenticates through user_oidc, the application processes the OIDC handshake and then redirects the browser to the attacker's site, where phishing or token-theft content is served.

No authentication or special privileges are required to craft the link. The attacker only needs the victim to click and complete login. Technical details are documented in the GitHub Security Advisory GHSA-8wjr-5cg8-4w73, the user_oidc pull request #1273, and HackerOne report #3464925.

Detection Methods for CVE-2026-45278

Indicators of Compromise

  • Login requests to user_oidc endpoints containing redirect parameters pointing to external, non-Nextcloud domains.
  • Web server or reverse proxy logs showing HTTP 302 responses from user_oidc login flows redirecting to unfamiliar hosts.
  • User reports of being sent to unexpected pages after logging into Nextcloud.
  • Inbound emails or chat messages distributing Nextcloud login URLs with unusually long or encoded query strings.

Detection Strategies

  • Parse Nextcloud and reverse proxy access logs for user_oidc login URLs and extract redirect parameters. Compare destination hosts against an allowlist of approved domains.
  • Monitor referer headers on outbound web traffic to identify users who were redirected from Nextcloud to suspicious external sites.
  • Inspect mail and messaging gateways for URLs matching the Nextcloud login path combined with external redirect targets.

Monitoring Recommendations

  • Centralize Nextcloud web logs in a SIEM or data lake and alert on user_oidc redirect parameters resolving outside the trusted domain set.
  • Track the deployed user_oidc app version across Nextcloud instances and alert when it falls below 8.2.2.
  • Correlate post-login redirects with subsequent credential entry events on external domains to surface active phishing campaigns.

How to Mitigate CVE-2026-45278

Immediate Actions Required

  • Upgrade the Nextcloud user_oidc app to version 8.2.2 or later on all instances.
  • Audit recent user_oidc login flows for redirects to untrusted domains and notify affected users.
  • Reset credentials and active sessions for users who may have been redirected to phishing pages.
  • Communicate to users that legitimate Nextcloud logins should not route through external domains.

Patch Information

Nextcloud released the fix in user_oidc version 8.2.2. The change set is available in pull request #1273, and remediation guidance is provided in the GitHub Security Advisory GHSA-8wjr-5cg8-4w73. Administrators using the Nextcloud app store can update via the standard Apps management interface or by deploying the updated package directly.

Workarounds

  • If immediate patching is not possible, restrict access to the user_oidc login endpoint to known networks via reverse proxy rules.
  • Configure web application firewall (WAF) rules to block or strip external redirect parameters on user_oidc login URLs.
  • Temporarily disable the user_oidc app and fall back to an alternative authentication method until the update is applied.
bash
# Update the user_oidc app via the Nextcloud occ command-line tool
sudo -u www-data php occ app:update user_oidc
sudo -u www-data php occ app:list | grep user_oidc

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.