CVE-2026-45154 - Vulnerability Details

- Nextcloud: Improper Access Control in Collectives

Description

Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0.

Published: 2026-06-01

Score: 2.6 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Nextcloud’s Collectives module failed to enforce proper access control after a page was deleted, allowing guests who had view‑only access to the collective to retrieve the deleted page from the trashbin. This flaw presents a privilege‑escalation–style vulnerability of CWE‑284, leading to inadvertent disclosure of content that should have been removed. The CVSS score of 2.6 reflects the low‑to‑moderate risk and the fact that no direct code execution or data manipulation is enabled, but the illicit read of sensitive material could be detrimental in regulated environments.

Affected Systems

The issue affects Nextcloud installations from version 2.6.0 through just before version 4.3.0, specifically the Collectives application when a guest user with view‑only rights has access to a collective that contains pages that have been deleted. Administrators should audit their instances to determine whether any guests were granted view‑only access to such collectives prior to upgrading to the patched release.

Risk and Exploitability

Because the vulnerability can be exploited without administrator credentials—any guest with view‑only permissions to the collective can trigger the flaw—the attack vector is local to the application layer. The lack of an EPSS score and absence from the KEV catalog suggest current exploitation is not widespread, yet the potential for confidential data leakage warrants prompt action. The CVSS score underscores a moderate likelihood of impact should the vulnerability remain unpatched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nextcloud

security-advisories

affected

Version	Status	Constraints
`>= 2.6.0, < 4.3.0`	affected	—

No data.

Vendor Product Confidence Versions

Nextcloud

Collectives

100%

Version	Status	Scheme	Platform
`[2.6.0,4.3.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Nextcloud to version 4.3.0 or later, the release that contains the official fix.
Re‑evaluate collective guest permissions and ensure that view‑only guests rely on the updated code path that blocks trashbin access.
If an immediate update is infeasible, temporarily revoke view‑only rights for guests on affected collectives or delete the trashbin contents to eliminate the hidden data paths.

Generated by OpenCVE AI on June 1, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00189.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/nextcloud/collectives/pull/2432
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8mpv-ggq8-hf3w
https://hackerone.com/reports/3521434

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nextcloud Nextcloud collectives
Vendors & Products		Nextcloud Nextcloud collectives

Mon, 01 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0.
Title		Nextcloud: Improper Access Control in Collectives
Weaknesses		CWE-284
References		https://github.com/nextcloud/collectives/pull/2432 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8mpv-ggq8-hf3w https://hackerone.com/reports/3521434
Metrics		cvssV3_1 `{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N'}`

Subscriptions

Nextcloud Collectives

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-01T16:37:41.710Z

Updated: 2026-06-01T17:40:50.457Z

Reserved: 2026-05-08T20:44:38.964Z

Link: CVE-2026-45154

Vulnrichment

Updated: 2026-06-01T17:40:44.996Z

NVD

Status : Deferred

Published: 2026-06-01T17:17:09.013

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45154

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:54:08Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object