Description
Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
Published: 2026-06-01
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Nextcloud Android Files app allowed a user who had unlocked a previously locked device to bypass the app’s PIN by simply pressing the device’s back button. The vulnerability lets an attacker gain authenticated access to the app’s contents without providing the correct PIN, effectively nullifying the intended authentication protection.

Affected Systems

The issue affects the Android Files app for all Nextcloud releases from version 33.0.0 up to, but not including, 33.1.0. The vulnerability is specific to the PassCodeActivity screen in these versions.

Risk and Exploitability

The CVSS score of 4.6 indicates a medium severity vulnerability. Because the exploit requires the device to be physically unlocked after a lock, it is a local attack vector and does not have a public remote exploit. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, any user who has enabled a PIN on the Nextcloud app faces the risk of letting an attacker bypass it by simply pressing the back button after unlocking the device.

Generated by OpenCVE AI on June 1, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nextcloud Android Files app to version 33.1.0 or later to address the PIN bypass flaw.
  • If an update is not immediately available, disable the PIN protection in the app’s security settings until the fix can be applied.
  • Ensure that no earlier, vulnerable versions remain installed on the device.

Generated by OpenCVE AI on June 1, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud android
Vendors & Products Nextcloud
Nextcloud android

Mon, 01 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
Title Nextcloud: PIN bypass in PassCodeActivity via back button
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Nextcloud Android
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T17:53:36.647Z

Reserved: 2026-05-08T20:44:38.964Z

Link: CVE-2026-45153

cve-icon Vulnrichment

Updated: 2026-06-01T17:53:33.595Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:08.860

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:54:10Z

Weaknesses