CVE-2026-45543 Overview
CVE-2026-45543 is an information disclosure vulnerability in Nextcloud Forms, an open source content collaboration platform component. The flaw allows a removed collaborator to retain unauthorized read access to uploaded respondent files associated with a form. The issue affects Nextcloud Forms from version 4.3.0 up to versions before 5.2.7. Exposure is scoped to uploaded files for forms where the removed user previously had results access. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties) and was patched in Nextcloud Forms version 5.2.7.
Critical Impact
A removed collaborator can continue to read respondent file uploads from forms they previously had access to, exposing potentially sensitive submitted data.
Affected Products
- Nextcloud Forms version 4.3.0 and later
- Nextcloud Forms versions prior to 5.2.7
- Nextcloud deployments using the Forms application for respondent file uploads
Discovery Timeline
- 2026-06-01 - CVE-2026-45543 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45543
Vulnerability Analysis
The vulnerability resides in the access control logic that governs uploaded respondent files in Nextcloud Forms. When a user is granted results access to a form as a collaborator, they obtain permission to view files uploaded by respondents. Removing that user from the collaborator list should immediately revoke access to all form artifacts, including respondent file uploads.
In affected versions, the removal process does not fully invalidate access to previously uploaded respondent files. The removed user can continue to read these files through direct requests, despite no longer being listed as a collaborator. This results in unauthorized read access to data submitted by form respondents.
The issue is limited in scope. It does not affect form metadata, responses other than file uploads, or forms the user never had access to. Integrity and availability are not impacted — only confidentiality of uploaded files.
Root Cause
The root cause is an incomplete authorization check on the file retrieval endpoint for respondent uploads. The Forms application enforces access control at the moment of file upload association but fails to re-evaluate collaborator status when a previously authorized user requests the file. This is consistent with [CWE-552], where files become accessible to parties who should no longer have permission.
Attack Vector
An attacker who was previously a form collaborator with results access retains the file identifiers or URLs for uploaded respondent files. After being removed as a collaborator, the attacker can issue authenticated requests to the file endpoints and receive the file contents. Exploitation requires only standard user authentication to the Nextcloud instance and prior collaborator history on the targeted form. No user interaction from the legitimate form owner or respondents is required. The fix is implemented in Nextcloud Forms Pull Request #3291.
Detection Methods for CVE-2026-45543
Indicators of Compromise
- Access log entries showing file download requests from user accounts that were recently removed as form collaborators
- Repeated GET requests to Nextcloud Forms file endpoints from accounts no longer associated with the form
- Anomalous file retrieval patterns following changes to a form's collaborator membership
Detection Strategies
- Correlate Nextcloud audit logs for collaborator removal events against subsequent file access events by the same user identifier
- Review web server and application logs for requests to respondent file URLs originating from non-current collaborators
- Establish baselines for legitimate file access by form owners and compare against requests from historically authorized accounts
Monitoring Recommendations
- Enable verbose audit logging in Nextcloud for the Forms application, including file access events
- Forward Nextcloud logs to a centralized log management or SIEM platform for cross-event correlation
- Alert on file access requests that occur after a user's collaborator role was revoked
How to Mitigate CVE-2026-45543
Immediate Actions Required
- Upgrade Nextcloud Forms to version 5.2.7 or later on all affected Nextcloud instances
- Audit collaborator history for forms containing sensitive respondent file uploads and identify users removed between version 4.3.0 and 5.2.7
- Review access logs for unauthorized file retrievals by previously removed collaborators
Patch Information
Nextcloud Forms version 5.2.7 contains the fix for CVE-2026-45543. Administrators should update the Forms app through the standard Nextcloud app management interface or via occ app:update forms. Technical details of the fix are available in the Nextcloud Security Advisory GHSA-q4fw-6jf8-5vhh and the HackerOne Report #3617352.
Workarounds
- If immediate upgrade is not possible, delete or relocate respondent file uploads for forms where collaborators have been removed
- Restrict the Forms application to trusted users only until the patch can be applied
- Disable file upload questions on forms handling sensitive data until the upgrade completes
# Configuration example
# Update the Nextcloud Forms app to the patched version
sudo -u www-data php occ app:update forms
# Verify the installed version is 5.2.7 or later
sudo -u www-data php occ app:list | grep forms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
