CVE-2026-45284 Overview
CVE-2026-45284 is a broken access control vulnerability [CWE-284] in the Nextcloud user_oidc application. The flaw affects versions from 1.3.6 up to but not including 8.4.0. An improper validation check allowed users originally provisioned through Lightweight Directory Access Protocol (LDAP) to continue authenticating against the OpenID Connect (OIDC) backend after their accounts had been deleted. This breaks the expected account lifecycle and lets removed identities retain access to the Nextcloud collaboration platform. Nextcloud patched the issue in user_oidc version 8.4.0.
Critical Impact
Deleted LDAP-provisioned users can still authenticate through the user_oidc app, granting unauthorized access to confidential data, integrity controls, and availability of the Nextcloud instance.
Affected Products
- Nextcloud user_oidc versions 1.3.6 through 8.3.x
- Nextcloud instances integrating LDAP user provisioning with OIDC authentication
- Self-hosted Nextcloud deployments relying on user_oidc for single sign-on
Discovery Timeline
- 2026-06-01 - CVE-2026-45284 published to the National Vulnerability Database
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45284
Vulnerability Analysis
The vulnerability resides in the Nextcloud user_oidc application, which handles OpenID Connect authentication for Nextcloud users. Nextcloud supports multiple user backends, including LDAP and OIDC, and administrators commonly link the two so that LDAP-provisioned identities authenticate through an upstream Identity Provider (IdP).
When an LDAP-provisioned user is deleted, the user_oidc flow failed to verify that the corresponding local account still existed and was active. As a result, a valid OIDC token issued by the upstream IdP continued to map to the deleted user, re-establishing an authenticated session on the Nextcloud instance.
The issue is classified as improper access control [CWE-284]. The attack requires low privileges, since the actor must possess valid IdP credentials, but no user interaction.
Root Cause
The root cause is a missing existence and state check during the OIDC authentication callback. The user_oidc app trusted the identity claim from the IdP without confirming that the mapped LDAP-backed account was still present in Nextcloud. See the Nextcloud Security Advisory GHSA-79xf-ffj8-96fm for the maintainer analysis.
Attack Vector
An attacker with previously valid LDAP credentials, or any IdP-authenticated identity mapped to a deleted Nextcloud account, can complete the OIDC login flow against the Nextcloud endpoint. The deleted account is effectively resurrected at the application layer, allowing access to files, shares, and APIs assigned to that identity before deletion. Because the attack uses legitimate authentication primitives, it leaves few signals in standard authentication logs. Technical details are available in the HackerOne Report #3554696 and the upstream patch pull request.
Detection Methods for CVE-2026-45284
Indicators of Compromise
- Successful OIDC logins on the Nextcloud user_oidc endpoint for usernames that were previously deleted from the LDAP directory.
- Session creation events in Nextcloud logs referencing user IDs that no longer exist in the oc_accounts table.
- File access, share creation, or WebDAV activity attributed to user identifiers absent from the active LDAP user list.
Detection Strategies
- Correlate Nextcloud authentication logs with LDAP directory state to flag logins by users who have been removed from the directory.
- Audit the user_oidc token exchange logs for OIDC sub claims that map to deleted local accounts.
- Compare current LDAP membership against the Nextcloud user list and alert on session activity from any delta.
Monitoring Recommendations
- Forward Nextcloud nextcloud.log and reverse proxy access logs to a centralized analytics platform for retrospective hunting.
- Enable Nextcloud audit logging and monitor login and logout events tied to OIDC providers.
- Alert on first-seen authentications from user identifiers after the corresponding LDAP delete operation.
How to Mitigate CVE-2026-45284
Immediate Actions Required
- Upgrade the user_oidc application to version 8.4.0 or later on all Nextcloud servers.
- Revoke active sessions and refresh tokens for any user removed from LDAP since user_oidc 1.3.6 was deployed.
- Audit the Nextcloud user table for orphaned accounts that no longer correspond to an LDAP entry and remove them.
Patch Information
Nextcloud released user_oidc version 8.4.0 to address CVE-2026-45284. The fix introduces the proper existence and state validation during the OIDC authentication callback so that deleted LDAP-backed users can no longer authenticate. Administrators should apply the update via the Nextcloud app store or through their package management workflow. Patch details are documented in the GitHub Pull Request #1340.
Workarounds
- If immediate patching is not feasible, disable the user_oidc app and require direct LDAP authentication until the upgrade is applied.
- Restrict the upstream IdP to issue tokens only for currently active LDAP-provisioned users by synchronizing deletions to the IdP in real time.
- Enforce short OIDC session lifetimes and require re-authentication so newly deleted accounts lose access quickly.
# Upgrade user_oidc using the Nextcloud occ command
sudo -u www-data php occ app:update user_oidc
sudo -u www-data php occ app:list | grep user_oidc
# Confirm installed version is >= 8.4.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
