A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45690

CVE-2026-45690: Nextcloud Server 2FA Bypass Vulnerability

CVE-2026-45690 is an authentication bypass flaw in Nextcloud Server allowing attackers to circumvent two-factor authentication using session token replay. This article covers technical details, affected versions, and patches.

Published: June 4, 2026

CVE-2026-45690 Overview

CVE-2026-45690 is an authentication bypass vulnerability in Nextcloud Server that allows attackers with knowledge of a valid user password to circumvent two-factor authentication (2FA). The flaw exists in Nextcloud Server versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3. When a user initiates login on a 2FA-enabled account, the system issues a temporary session token before the second factor challenge completes. An attacker can extract this token and replay it via HTTP Basic Authentication to access authenticated endpoints. The weakness is classified under [CWE-287] Improper Authentication.

Critical Impact

Attackers possessing a valid username and password can fully bypass 2FA protections and access authenticated Nextcloud endpoints, defeating the second factor security control.

Affected Products

  • Nextcloud Server 32.0.0 through versions before 32.0.9
  • Nextcloud Server 33.0.0 through versions before 33.0.3
  • Nextcloud Enterprise Server branches 29.x, 30.x, 31.x, 32.x, and 33.x prior to fixed releases

Discovery Timeline

  • 2026-06-01 - CVE-2026-45690 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-45690

Vulnerability Analysis

The vulnerability resides in the Nextcloud Server login flow for accounts protected by two-factor authentication. When valid primary credentials are submitted, the server creates a session token before the second factor challenge is enforced. This token represents a partially authenticated state that should not grant access to protected resources. However, the token is accepted by endpoints that authenticate via HTTP Basic Authentication, effectively skipping the 2FA verification step.

An attacker with knowledge of a target user's password can drive the login process, capture or replay the intermediate token, and access authenticated APIs. The bypass undermines the integrity guarantee that 2FA is meant to provide for high-value accounts, including administrators and file owners.

Root Cause

The root cause is a state validation gap in the authentication state machine. The server issues a session credential during a transitional authentication state but fails to scope that credential to the 2FA challenge endpoint only. Downstream Basic Authentication handlers accept the token without verifying whether the second factor has been satisfied, breaking the security boundary between credential verification and full session establishment.

Attack Vector

Exploitation requires network access to the Nextcloud Server and prior knowledge of a valid username and password. The attacker submits credentials to trigger the 2FA flow, intercepts or extracts the issued token, and then issues HTTP requests using Basic Authentication carrying that token. The targeted endpoints accept the request and return authenticated responses without prompting for the second factor. The technical details, fix, and proof-of-concept context are documented in the Nextcloud GitHub Security Advisory GHSA-jgcj-v42r-9922, the server pull request, and HackerOne Report #3639301.

Detection Methods for CVE-2026-45690

Indicators of Compromise

  • Successful HTTP Basic Authentication requests to Nextcloud endpoints from clients that never completed the 2FA challenge.
  • Login sequences in which a login event is followed by API calls but no corresponding twofactor_success event for the same session.
  • Repeated Basic Authentication requests from a single source IP reusing the same session identifier across multiple endpoints in a short window.

Detection Strategies

  • Correlate Nextcloud authentication logs to flag sessions that issued tokens but never completed a second factor verification step before accessing data endpoints.
  • Alert on access to sensitive endpoints such as WebDAV, file shares, or admin APIs when the authenticating session lacks a recorded 2FA completion.
  • Hunt for unusual Basic Authentication usage against accounts configured with 2FA, since legitimate 2FA users typically authenticate through the web flow.

Monitoring Recommendations

  • Forward Nextcloud data/nextcloud.log and web server access logs to a centralized logging platform for correlation across login and API events.
  • Track authentication anomalies per user account, including geographic and user-agent deviations following password-only login attempts.
  • Monitor for spikes in failed-then-successful login pairs that may indicate credential stuffing combined with 2FA bypass attempts.

How to Mitigate CVE-2026-45690

Immediate Actions Required

  • Upgrade Nextcloud Server to version 33.0.3 or 32.0.9 as soon as possible.
  • Upgrade Nextcloud Enterprise Server to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 depending on the deployed branch.
  • Invalidate active sessions and force re-authentication for all users after patching to revoke any tokens that may have been captured.
  • Review authentication logs for prior abuse of Basic Authentication against 2FA-enabled accounts.

Patch Information

Nextcloud released fixes in Server versions 32.0.9 and 33.0.3, and in Enterprise Server versions 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, and 29.0.16.16. The corresponding code change is available in the Nextcloud server pull request #59758, and full advisory details are published in GHSA-jgcj-v42r-9922.

Workarounds

  • Disable HTTP Basic Authentication for clients where feasible and require app passwords or OAuth-based authentication instead.
  • Enforce password rotation for any account that may have authenticated during the vulnerable window, especially privileged users.
  • Restrict network access to the Nextcloud instance using VPN or IP allow-listing until the upgrade is applied.
bash
# Configuration example: upgrade Nextcloud Server via the built-in updater
sudo -u www-data php /var/www/nextcloud/updater/updater.phar
sudo -u www-data php /var/www/nextcloud/occ upgrade
sudo -u www-data php /var/www/nextcloud/occ maintenance:mode --off

# Invalidate existing sessions after patching
sudo -u www-data php /var/www/nextcloud/occ user:list | awk -F'[:-]' '{print $2}' | xargs -I{} sudo -u www-data php /var/www/nextcloud/occ user:logout {}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechNextcloud
  • SeverityMEDIUM
  • CVSS Score5.9
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-287
  • Technical References
  • GitHub Security Advisory
  • GitHub Pull Request
  • HackerOne Report #3639301
  • Related CVEs
  • CVE-2026-45285: Nextcloud Server Auth Bypass Vulnerability
  • CVE-2026-45284: Nextcloud User OIDC Auth Bypass Flaw
  • CVE-2026-45281: Nextcloud Server Auth Bypass Vulnerability
  • CVE-2026-45282: Nextcloud Server Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English