CVE-2026-45285: Nextcloud Server Auth Bypass Vulnerability

CVE-2026-45285 Overview

CVE-2026-45285 is a missing authorization vulnerability [CWE-862] in Nextcloud Server affecting the Teams (formerly Circles) sharing feature. When a user shares a folder or file with a Nextcloud Team containing an external member added by email, the system silently generates a public link and emails it to that external member. The link grants read, write, delete, reshare, and download permissions but never appears in the share dialog. Folder owners cannot see or revoke the link through the standard sharing interface. Any attacker who receives or intercepts the email gains full access to the shared content without authentication.

Critical Impact

Hidden public links bypass the Nextcloud sharing UI and grant full read, write, delete, and reshare access to anyone who obtains the link, with no path for the owner to detect or revoke access.

Affected Products

• Nextcloud Server 32.0.0 through versions before 32.0.9
• Nextcloud Server 33.0.0 through versions before 33.0.3
• Nextcloud Enterprise Server (same affected version ranges)

Discovery Timeline

• 2026-06-01 - CVE-2026-45285 published to NVD
• 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-45285

Vulnerability Analysis

The flaw resides in the Nextcloud circles application that powers the Teams feature. When a Team contains an external member, identified solely by email address rather than a Nextcloud account, the share workflow cannot grant access through the normal user-to-user sharing model. To deliver the content, the application automatically provisions a public share link and emails it to the external recipient.

This automatically generated link inherits the Team's permission set, including write, delete, reshare, and download capabilities. The link is not registered against the folder's visible share list, breaking the assumption that the share UI represents all active access grants. The folder owner has no indication that a public link exists, cannot audit it, and cannot revoke it without administrative database access.

Exploitation requires user interaction and access to the recipient's email channel, which limits exposure on the network. However, intercepted, forwarded, or leaked emails containing the link grant immediate full access to the underlying data.

Root Cause

The root cause is missing authorization enforcement on the share creation path for external Team members. The circles component creates a public share token without surfacing it to the access control layer used by the sharing UI. The owner's authorization scope and visibility are decoupled from the actual share state in the database.

Attack Vector

An attacker obtains the public link from email interception, mail relay logs, accidental forwarding, or compromise of the external recipient's mailbox. The attacker then issues HTTP requests to the Nextcloud public share endpoint using the token embedded in the link. No credentials are required, and the actions taken (modify, delete, reshare) are logged as activity on the public share rather than tied to an authenticated identity.

No verified proof-of-concept code is published. Reproduction requires configuring a Team with an external email member and sharing a folder with that Team, then observing the link delivered in the outbound email.

Detection Methods for CVE-2026-45285

Indicators of Compromise

• Outbound emails from the Nextcloud instance containing public share URLs addressed to external recipients shortly after Team-based folder shares
• Public share tokens present in the oc_share database table that are not visible in the folder owner's share UI
• Anonymous access events in Nextcloud activity logs targeting Team-shared folders, including file modification or deletion actions tied to a public share token

Detection Strategies

• Query the Nextcloud database for rows in oc_share where share_type indicates a public link and the parent share originated from a Team containing email-only members
• Correlate circles application logs with mail transport logs to identify automatically generated public link emails sent to external addresses
• Audit access logs for requests to /s/<token> endpoints that perform write, delete, or reshare operations on Team-shared paths

Monitoring Recommendations

• Enable verbose logging on the files_sharing and circles applications and forward events to a centralized log platform
• Alert on any public share creation event where the originating share was made to a Team rather than to an individual user
• Track outbound SMTP traffic from the Nextcloud server for messages containing public share URLs and review recipient domains

How to Mitigate CVE-2026-45285

Immediate Actions Required

• Upgrade Nextcloud Server to version 32.0.9 or 33.0.3 depending on the deployed branch
• Inventory all Teams that include external email members and review historical shares made to those Teams
• Audit the oc_share table for hidden public links created on behalf of external Team members and revoke any that are no longer required

Patch Information

The issue is patched in Nextcloud Server 32.0.9 and 33.0.3. The fix is implemented in the circles application via Nextcloud circles pull request #2454. Full advisory details are available in the Nextcloud GHSA-r3xh-x86g-hw4m security advisory and the HackerOne report #3625932.

Workarounds

• Restrict Team membership to users with Nextcloud accounts and remove all email-only external members until the patch is applied
• Disable the Teams (circles) application in the Nextcloud admin panel if it is not in active use
• Configure the share-by-mail and public link sharing policies to require password protection and expiration dates to limit exposure of any links that are generated