CVE-2026-45283 Overview
CVE-2026-45283 affects Nextcloud Server, an open source content collaboration platform. The files_lock app fails to validate file ownership when processing WebDAV-based Distributed Authoring and Versioning (DAV) lock and unlock requests. An authenticated user can lock or unlock files owned by other users by referencing absolute WebDAV paths. The vulnerability also causes lock tokens to be disclosed in error responses, enabling attackers to remove token-based locks placed by other users' client applications. The flaw is categorized under [CWE-287] Improper Authentication.
Critical Impact
Authenticated attackers can manipulate file locks on resources they do not own, disrupting collaborative workflows and exposing lock tokens to unauthorized parties.
Affected Products
- Nextcloud Server versions 32.0.0 to before 32.0.2
- Nextcloud Server versions 33.0.0 to before 33.0.1
- Nextcloud Enterprise Server versions prior to 31.0.14.4, 32.0.2, or 33.0.1
Discovery Timeline
- 2026-06-01 - CVE-2026-45283 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45283
Vulnerability Analysis
The vulnerability resides in the files_lock app, which provides file locking functionality over WebDAV. When processing LOCK and UNLOCK DAV requests, the application does not verify whether the authenticated caller owns or has permission to operate on the target resource. An attacker who holds any valid user account can target the absolute WebDAV path of another user's files and manipulate their lock state.
A secondary issue compounds the impact: lock tokens, which should remain confidential to the locking client, are leaked back in error responses sent to unauthorized callers. With a leaked token, an attacker can remove token-based locks placed by legitimate client applications, including desktop sync clients that depend on locks for conflict prevention.
Root Cause
The root cause is missing ownership and authorization validation in the request handler for DAV LOCK and UNLOCK operations. The handler accepted absolute WebDAV paths without confirming the requesting user had rights to the resource. Error response handling additionally included sensitive lock token data instead of returning a generic error.
Attack Vector
Exploitation requires an authenticated, low-privilege account on the Nextcloud instance. The attacker issues a crafted WebDAV LOCK or UNLOCK request against the absolute path of a victim's file. The server processes the operation without ownership checks, applying or removing the lock. To recover existing tokens, the attacker triggers error conditions that cause the server to return the token in the response body, then replays the token in subsequent UNLOCK requests. The fix is described in the Nextcloud files_lock Pull Request #1007 and the Nextcloud Security Advisory GHSA-4chh-6mhf-p4jj.
Detection Methods for CVE-2026-45283
Indicators of Compromise
- WebDAV LOCK or UNLOCK requests where the authenticated user differs from the owner of the target path
- HTTP error responses from the files_lock endpoint containing lock token values
- Unexpected lock state changes on files reported by desktop sync clients or end users
Detection Strategies
- Parse Nextcloud access logs for LOCK and UNLOCK methods against /remote.php/dav/files/<user>/ paths where the path user does not match the session user
- Alert on repeated DAV error responses returned to a single authenticated user account within a short window
- Correlate user complaints about inaccessible or unexpectedly locked files with WebDAV activity in audit logs
Monitoring Recommendations
- Enable Nextcloud audit logging for file operations and DAV requests
- Forward WebDAV access logs to a centralized log analytics platform for cross-user correlation
- Track the volume of 423 Locked and related DAV error responses per user account as a baseline anomaly indicator
How to Mitigate CVE-2026-45283
Immediate Actions Required
- Upgrade Nextcloud Server to version 32.0.2 or 33.0.1 as recommended by the vendor
- Upgrade Nextcloud Enterprise Server to 31.0.14.4, 32.0.2, or 33.0.1
- Review recent WebDAV LOCK and UNLOCK activity for cross-user abuse before patching
- Notify users to report any files that appear locked or modified unexpectedly
Patch Information
The upstream fix is implemented in Nextcloud files_lock Pull Request #1007. The patch adds ownership validation to DAV lock and unlock handlers and removes lock token disclosure from error responses. Full details are documented in the Nextcloud Security Advisory GHSA-4chh-6mhf-p4jj and the HackerOne Report #3301553.
Workarounds
- No official workaround is published by the vendor; upgrading is the supported remediation
- Restrict account creation and review existing low-privilege accounts to limit the population of potential attackers until patches are applied
- Temporarily disable the files_lock app if business workflows allow, accepting the loss of file locking functionality
# Upgrade Nextcloud Server using the built-in updater (example)
sudo -u www-data php /var/www/nextcloud/updater/updater.phar
# Verify installed version after upgrade
sudo -u www-data php /var/www/nextcloud/occ status
# Optional: disable files_lock app as a temporary measure
sudo -u www-data php /var/www/nextcloud/occ app:disable files_lock
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
