Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1
Published: 2026-06-01
Score: 2.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing access check in Nextcloud’s circle API allows an authenticated user to add an existing but private circle to another circle simply by specifying its ID. Because each circle ID is generated from a 62‑character alphabet and is 15 characters long, the probability of discovering an unused ID is extremely low, yet any attacker who already knows a valid ID can use the API to link circles and thereby reveal membership relationships. The exposure is a privacy breach of who belongs to which private circle and may let an adversary infer sensitive collaboration patterns. This flaw is a classic example of an authorization bypass (CWE‑639).

Affected Systems

The vulnerability affects Nextcloud Server versions 32.0.0 through 32.0.6 and 33.0.0 through 33.0.0, as well as the corresponding Enterprise Server releases 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 and 33.0.1. All affected installations expose the circle API that permits adding circles by ID without an appropriate access check.

Risk and Exploitability

The CVSS score for this weakness is 2.6, indicating a low impact and a relatively high required skill level. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The exploit requires the attacker to have API access and to know a legitimate circle ID; the high complexity of the IDs makes the attack path difficult to launch from scratch, yet an attacker with prior knowledge can perform the action without further privilege escalation. Overall the risk is moderate, largely due to potential privacy loss rather than system compromise.

Generated by OpenCVE AI on June 1, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud Server to 32.0.7 or 33.0.1.
  • Upgrade Nextcloud Enterprise Server to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1.
  • If an immediate upgrade is not possible, restrict the API so that only authorized administrators can add circles and validate circle IDs against a whitelist before permitting the operation.

Generated by OpenCVE AI on June 1, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud circles
Vendors & Products Nextcloud
Nextcloud circles

Mon, 01 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1
Title Nextcloud: Private circle can be added to another circle via API
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Nextcloud Circles
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T18:09:28.247Z

Reserved: 2026-05-08T20:44:38.964Z

Link: CVE-2026-45155

cve-icon Vulnrichment

Updated: 2026-06-01T18:09:16.819Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:09.150

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45155

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:54:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key