CVE-2026-45282 Overview
CVE-2026-45282 is a broken access control vulnerability [CWE-284] in Nextcloud Server affecting link share attachment retrieval. Authenticated attackers who know a valid share token can access attachments associated with link shares, bypassing password protection and download restrictions. The flaw resides in the Nextcloud Text component and impacts both Nextcloud Server and Nextcloud Enterprise Server. Exploitation requires the attacker to know a documentId they own along with the share token. For directly shared files, exploitation is straightforward; for shared folders, the attacker must know or guess a documentId contained within the folder, raising the difficulty.
Critical Impact
Authenticated attackers can retrieve attachments from password-protected or download-restricted link shares, leading to unauthorized disclosure of confidential content stored in Nextcloud.
Affected Products
- Nextcloud Server versions 32.0.0 to before 32.0.9
- Nextcloud Server versions 33.0.0 to before 33.0.3
- Nextcloud Enterprise Server versions 27.1.x, 28.0.x, 29.0.x, 30.0.x, 31.0.x, 32.0.x, and 33.0.x prior to the fixed releases
Discovery Timeline
- 2026-06-01 - CVE-2026-45282 published to the National Vulnerability Database
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45282
Vulnerability Analysis
The vulnerability resides in how Nextcloud Text handles attachment access when content is exposed through link shares. Link shares can be protected by passwords and download restrictions, but the attachment retrieval path does not consistently enforce those controls. An authenticated attacker submitting a valid share token along with a documentId can fetch attachments that should be gated behind the share's security settings. The attacker cannot retrieve the shared file or folder itself — only attachments referenced from the shared document. The fix is implemented in Nextcloud Text Pull Request #8499, which tightens the authorization checks before serving attachment content.
Root Cause
The root cause is missing authorization enforcement on the attachment endpoint within the Nextcloud Text component. Share-level controls such as password gates and download restrictions are evaluated for the primary share resource but are not propagated to the attachment retrieval logic, allowing access when the request supplies a known share token and documentId.
Attack Vector
The attack is network-based and requires low privileges — the attacker must be authenticated to the Nextcloud instance. The attacker supplies the share token (typically obtained legitimately or through observation of a shared link) and a documentId. For directly shared files, a documentId the attacker owns is sufficient. For folder shares, the attacker must enumerate or guess a documentId of a file inside the folder, which constrains practical exploitation.
// No verified public exploit code is available.
// See the GitHub Security Advisory GHSA-35fx-69q6-xpjr
// and the upstream Text pull request #8499 for the patched logic.
Detection Methods for CVE-2026-45282
Indicators of Compromise
- Repeated authenticated requests to Nextcloud Text attachment endpoints referencing the same share token with varying documentId values, indicative of enumeration.
- Attachment downloads originating from accounts that have not interacted with the parent shared document.
- Successful attachment retrievals on link shares configured with password protection or download restrictions, where the password challenge was never completed.
Detection Strategies
- Review Nextcloud audit logs for text/attachment route access correlated with link share tokens that have password protection enabled.
- Baseline normal access patterns to shared folder attachments and flag accounts requesting attachments tied to documents they did not author or open.
- Hunt for HTTP request bursts targeting attachment endpoints with sequential or guessed documentId parameters.
Monitoring Recommendations
- Forward Nextcloud application and web server logs to a centralized analytics platform and retain at least 90 days of share access events.
- Alert on anomalous volumes of attachment downloads per user session, especially on shares marked as password-protected.
- Monitor for unauthenticated-to-authenticated transitions on share tokens that bypass the password challenge step.
How to Mitigate CVE-2026-45282
Immediate Actions Required
- Upgrade Nextcloud Server to version 33.0.3 or 32.0.9 without delay.
- Upgrade Nextcloud Enterprise Server to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, or 27.1.11.5 depending on the deployed branch.
- Audit existing link shares that rely on password protection or download restrictions and rotate share tokens for shares containing sensitive attachments.
Patch Information
The fix is published in the Nextcloud Security Advisory GHSA-35fx-69q6-xpjr and implemented in Nextcloud Text PR #8499. Additional technical context is available in the HackerOne report #3577244. Apply vendor-provided updates through the standard Nextcloud updater or package manager.
Workarounds
- Disable the Nextcloud Text application on affected servers if immediate patching is not possible, accepting the loss of collaborative editing functionality.
- Remove or recreate link shares that contain sensitive attachments to invalidate existing share tokens known to external parties.
- Restrict link share creation to trusted user groups via Nextcloud sharing policies until patches are deployed.
# Upgrade Nextcloud Server using the built-in updater (example)
sudo -u www-data php /var/www/nextcloud/updater/updater.phar
# Verify installed version after upgrade
sudo -u www-data php /var/www/nextcloud/occ status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
