CVE-2026-45691 Overview
CVE-2026-45691 is an authentication bypass vulnerability in Nextcloud Server affecting versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. The flaw allows an attacker who possesses valid primary credentials to reuse a pre-2FA session cookie as a Bearer token against WebDAV (DAV) endpoints. This grants read and write access to user data while bypassing mandatory two-factor authentication (TOTP). The issue is tracked under CWE-287: Improper Authentication.
Critical Impact
An attacker with stolen or phished credentials can bypass mandatory 2FA enforcement and access user files through DAV endpoints, defeating a primary control intended to mitigate credential compromise.
Affected Products
- Nextcloud Server 32.0.0 through versions before 32.0.9
- Nextcloud Server 33.0.0 through versions before 33.0.3
- Nextcloud Enterprise Server branches 29.x, 30.x, 31.x, 32.x, and 33.x prior to fixed releases
Discovery Timeline
- 2026-06-01 - CVE-2026-45691 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45691
Vulnerability Analysis
Nextcloud issues a session cookie after a user submits valid primary credentials but before the TOTP step completes. This intermediate session is intended only to track the authentication state between the password and second-factor stages. The DAV endpoint handler accepts this cookie value when supplied as an HTTP Authorization: Bearer token. The Bearer authentication path does not re-check whether the session has completed the second-factor challenge.
An attacker with a valid username and password can drive the login flow to the 2FA prompt, capture the partially authenticated session identifier, and replay it against /remote.php/dav/ endpoints. The DAV stack then treats the request as fully authenticated, enabling file reads, uploads, and modifications without ever satisfying the TOTP requirement.
Root Cause
The root cause is inconsistent authentication state enforcement between the web session middleware and the DAV Bearer token authenticator. The Bearer authentication backend resolves the supplied token to a user account but does not validate the two-factor completion flag stored on the session. This is a classic broken access control pattern where one authentication path enforces a security control and a parallel path does not.
Attack Vector
Exploitation requires network access to the Nextcloud instance and prior knowledge of valid primary credentials, typically obtained through phishing, credential stuffing, or password reuse. The attacker logs in via the standard web flow, intercepts the nc_session_id (or equivalent) cookie value at the 2FA prompt, then issues HTTP requests directly to DAV endpoints with Authorization: Bearer <cookie_value>. No user interaction is required at the victim side once credentials are obtained. Full technical details are available in the Nextcloud GitHub Security Advisory GHSA-mp6x-g55j-w9jw and the corresponding HackerOne report #3573399.
Detection Methods for CVE-2026-45691
Indicators of Compromise
- Requests to /remote.php/dav/ or /public.php/dav/ carrying an Authorization: Bearer header from clients that did not complete the interactive 2FA flow.
- DAV access logs showing successful authentication for accounts where the corresponding web session never recorded a TOTP success event.
- Anomalous user-agent strings or scripted clients accessing DAV endpoints shortly after a partial login from the same IP.
Detection Strategies
- Correlate authentication audit events with DAV access logs to identify sessions that produced DAV traffic without a completed second-factor step.
- Alert on Bearer token authentication against DAV endpoints when the same token value matches an active pre-2FA web session cookie.
- Baseline normal DAV client behavior (sync clients, mobile apps) and flag deviations such as bulk file enumeration from non-sync user agents.
Monitoring Recommendations
- Forward Nextcloud nextcloud.log and webserver access logs to a central SIEM with retention sufficient to reconstruct login sequences.
- Track per-user 2FA completion rates and alert when a user account has DAV activity disproportionate to its successful 2FA events.
- Monitor for credential-stuffing patterns against the Nextcloud login endpoint, as successful primary authentication is the prerequisite for this bypass.
How to Mitigate CVE-2026-45691
Immediate Actions Required
- Upgrade Nextcloud Server to version 33.0.3 or 32.0.9 as soon as possible.
- For Nextcloud Enterprise Server, upgrade to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 depending on the deployed branch.
- Invalidate all active sessions and app passwords after patching to revoke any tokens an attacker may already hold.
- Rotate user passwords for accounts where credential compromise is suspected and review DAV access logs for the exposure window.
Patch Information
The fix is implemented in Nextcloud server pull request #59758, which enforces two-factor completion validation on the Bearer token authentication path used by DAV. Administrators should apply the appropriate fixed release for their branch and verify the running version after upgrade. Refer to the GitHub Security Advisory for the authoritative remediation matrix.
Workarounds
- If immediate patching is not possible, restrict access to DAV endpoints at the reverse proxy or WAF layer to known sync client IP ranges.
- Temporarily disable the affected Bearer authentication path at the webserver level for /remote.php/dav/ until the upgrade is completed.
- Enforce strong password policies and credential-stuffing protections to reduce the likelihood that an attacker obtains the primary credentials required to reach the vulnerable code path.
# Verify the running Nextcloud version after upgrade
sudo -u www-data php /var/www/nextcloud/occ status
# Invalidate existing sessions and app tokens for a user
sudo -u www-data php /var/www/nextcloud/occ user:disable <username>
sudo -u www-data php /var/www/nextcloud/occ user:enable <username>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
