CVE-2026-45544 Overview
CVE-2026-45544 is an information exposure vulnerability in Nextcloud Tables, an open source content collaboration component of the Nextcloud platform. The flaw exposes view filter criteria to users granted only read-only permissions. Affected versions range from 0.8.0 up to (but not including) 1.0.4. The issue is patched in versions 1.0.4 and 2.0.0. The weakness is classified under CWE-1230: Exposure of Sensitive Information Through Metadata.
Critical Impact
Authenticated users with read-only access can view filter criteria configured on table views, potentially revealing sensitive structural or business logic information not intended for that permission tier.
Affected Products
- Nextcloud Tables versions 0.8.0 through 1.0.3
- Nextcloud Tables prior to 2.0.0 (1.x branch)
- Nextcloud deployments using the Tables app for collaborative data management
Discovery Timeline
- 2026-06-01 - CVE-2026-45544 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45544
Vulnerability Analysis
Nextcloud Tables provides spreadsheet-like collaborative data management with row-level permissions and configurable views. Views allow administrators and editors to define filter criteria that scope which rows are visible. The vulnerability stems from improper enforcement of permission boundaries on the metadata describing those filters. Users with read-only permissions receive the filter criteria alongside the filtered result set, rather than only the data they are authorized to view.
This falls under [CWE-1230], where sensitive information is leaked through metadata exposed to lower-privileged consumers. The HackerOne report (#3483753) and the upstream pull request nextcloud/tables#2312 confirm the fix scopes filter criteria delivery to users with appropriate permissions.
Root Cause
The Tables backend did not apply a permission check when serializing view metadata for API responses. The filter definition was treated as part of the view object rather than as privileged configuration data. Read-only consumers therefore received the criteria fields when fetching view information.
Attack Vector
Exploitation requires an authenticated session with at least read-only access to a shared table view. The attacker queries the Tables API endpoint for view details and parses the filter criteria from the response. No user interaction or elevated privileges are required beyond the initial share. The vulnerability does not permit data modification or service disruption.
Verified technical details are documented in the Nextcloud GHSA-vvxm-6jjp-m9mp advisory and the upstream pull request #2312.
Detection Methods for CVE-2026-45544
Indicators of Compromise
- Unexpected API requests to Nextcloud Tables view endpoints from accounts with read-only sharing
- Repeated GET requests enumerating multiple view IDs from a single low-privilege session
- User-agent or client patterns inconsistent with the Nextcloud web UI accessing view metadata endpoints
Detection Strategies
- Review Nextcloud audit logs for read-only users issuing high volumes of view metadata requests
- Compare deployed Nextcloud Tables version against patched releases 1.0.4 and 2.0.0
- Inspect application access logs for /apps/tables/api/ traffic correlated with shared view identifiers
Monitoring Recommendations
- Enable verbose logging on the Tables app and forward logs to a centralized SIEM
- Alert on access pattern anomalies where read-only collaborators retrieve view configurations repeatedly
- Track Nextcloud app version drift across instances to identify unpatched Tables deployments
How to Mitigate CVE-2026-45544
Immediate Actions Required
- Upgrade Nextcloud Tables to version 1.0.4 or 2.0.0 immediately
- Audit existing table shares and revoke read-only access where filter criteria contain sensitive logic
- Review prior access logs for anomalous read-only user activity against view endpoints
Patch Information
Nextcloud released fixed versions 1.0.4 and 2.0.0 of the Tables app. The patch is delivered via the upstream pull request #2312, which restricts filter criteria exposure to users with sufficient permissions. Administrators should apply the update through the Nextcloud app store or by upgrading the Tables app package directly. See the Nextcloud security advisory GHSA-vvxm-6jjp-m9mp for vendor guidance.
Workarounds
- Remove or simplify filter criteria on shared views until the patch is applied
- Restrict table sharing to trusted collaborators with editor permissions only
- Disable the Tables app on instances where immediate upgrade is not feasible
# Upgrade Nextcloud Tables via occ to a patched version
sudo -u www-data php occ app:update tables
sudo -u www-data php occ app:list | grep tables
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
