CVE-2026-45810 Overview
CVE-2026-45810 is an information disclosure vulnerability in Nextcloud Server and Nextcloud Enterprise Server. The flaw stems from a missing relation check in the file comments subsystem [CWE-639]. Authenticated users with access to any single file comment can read the content of all comments across the platform. The issue affects Nextcloud Server versions 31.0.0 to before 31.0.12 and 32.0.0 to before 32.0.3. Multiple Nextcloud Enterprise Server branches are also affected. The vulnerability requires authentication and user interaction to exploit, but it can expose sensitive data shared in comments across tenant boundaries.
Critical Impact
Authenticated attackers can read every file comment stored in the Nextcloud instance, exposing private discussions, internal notes, and potentially sensitive business data.
Affected Products
- Nextcloud Server 31.0.0 through 31.0.11
- Nextcloud Server 32.0.0 through 32.0.2
- Nextcloud Enterprise Server (multiple branches from 21.0.x through 32.0.x)
Discovery Timeline
- 2026-06-01 - CVE-2026-45810 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45810
Vulnerability Analysis
The vulnerability resides in the Nextcloud comment retrieval logic. The application fails to validate that the requesting user has authorization to access the parent object associated with each comment. This is a classic Insecure Direct Object Reference (IDOR) pattern, categorized as [CWE-639] (Authorization Bypass Through User-Controlled Key).
When a user requests comment data, the backend performs an identity check but does not enforce the relational constraint linking the comment to a file the user can access. As a result, supplying a comment identifier returns the comment content regardless of whether the user has permission to view the underlying file. An attacker who obtains access to a single comment endpoint can iterate identifiers to extract every comment in the system.
Exploitation requires a valid authenticated session and basic interaction with the affected endpoint. The scope is changed because data belonging to other users and groups becomes accessible from a single compromised account.
Root Cause
The root cause is a missing authorization check on the relation between a comment object and its parent file. The code path that returns comment content does not verify that the authenticated user has read access to the file the comment is attached to. This separation between authentication and resource-level authorization is the defining characteristic of broken access control flaws.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access. An attacker with any standard Nextcloud account can issue requests to the comments API and enumerate comment identifiers. No special configuration or elevated privileges are required on the target instance. See the GitHub Security Advisory and the upstream GitHub Pull Request for the corrective code change.
No verified public exploit code is available. The vulnerability is described in prose only because realCodeExamples were not provided. The HackerOne Report #3425534 documents the original disclosure.
Detection Methods for CVE-2026-45810
Indicators of Compromise
- Unusual volume of requests to the Nextcloud comments API endpoints from a single authenticated user session.
- Sequential or enumerated access patterns against comment identifiers in application logs.
- Authenticated accounts retrieving comment data tied to files outside their group or share scope.
Detection Strategies
- Review Nextcloud application logs for high-frequency calls to comment retrieval routes by individual users.
- Correlate comment access events with file share membership to flag access to comments on unshared files.
- Baseline normal comment API usage per user role and alert on statistical deviations.
Monitoring Recommendations
- Forward Nextcloud audit logs to a centralized logging or SIEM platform for retention and analysis.
- Enable verbose logging on the comments controller to capture user identifiers, comment IDs, and parent file IDs.
- Monitor authentication events for accounts that begin issuing atypical API requests shortly after login.
How to Mitigate CVE-2026-45810
Immediate Actions Required
- Upgrade Nextcloud Server to version 31.0.12 or 32.0.3 without delay.
- Upgrade Nextcloud Enterprise Server to the patched release matching your current branch, such as 30.0.17.5, 29.0.16.10, or 28.0.14.13.
- Audit recent comment API activity for signs of enumeration prior to patching.
Patch Information
Nextcloud has released fixed builds for both Server and Enterprise Server. Upgrade Nextcloud Server to 31.0.12 or 32.0.3. For Nextcloud Enterprise Server, upgrade to one of the following: 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12, or 32.0.3. The corrective change is published in the GitHub Pull Request.
Workarounds
- No official workaround is published; apply the vendor patch as the primary remediation.
- As a temporary measure, restrict comment functionality to trusted user groups using role-based access controls.
- Reduce the attack surface by disabling self-registration and enforcing strong authentication on all accounts.
# Configuration example: verify Nextcloud version after upgrade
sudo -u www-data php /var/www/nextcloud/occ status
sudo -u www-data php /var/www/nextcloud/occ upgrade
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
