Description
Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.
Published: 2026-06-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing signature verification in the User OIDC implementation of Nextcloud allowed an attacker who controls an ID4me authority to forge a JSON Web Token that identifies as any user. Because the token is accepted without verification, the attacker can impersonate legitimate users, gaining access to files, settings, and collaboration spaces. The flaw is classified as CWE-287, a failure of authentication causing a serious breach of confidentiality and integrity.

Affected Systems

The vulnerability affects Nextcloud versions 0.3.0 through before 3.1.0, 5.0.0 through before 5.1.0, and 6.0.0 through before 6.4.0. The issue was fixed in releases 3.1.0, 4.1.0, 5.1.0, 6.4.0, and 8.3.0. All installations using the affected ranges that enable the User OIDC (ID4me) feature are at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. The EPSS score is not available, so exploitation probability cannot be quantified, but the flaw can be leveraged by any entity that can set up a malicious ID4me authority, which may be a realistic threat. The vulnerability is not listed in CISA KEV, but the impact of impersonation makes it a critical concern for organizations relying on Nextcloud for secure collaboration.

Generated by OpenCVE AI on June 1, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud to a version that includes the User OIDC fix (3.1.0, 4.1.0, 5.1.0, 6.4.0, or later).
  • If upgrading is not immediately possible, disable the User OIDC (ID4me) integration until the patch is applied.
  • Conduct a post‑deployment review of user permissions and audit file accesses to confirm no unauthorized accounts have been created.

Generated by OpenCVE AI on June 1, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud user Oidc
Vendors & Products Nextcloud
Nextcloud user Oidc

Mon, 01 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.
Title Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Nextcloud User Oidc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T03:55:47.564Z

Reserved: 2026-05-08T20:44:38.964Z

Link: CVE-2026-45156

cve-icon Vulnrichment

Updated: 2026-06-01T18:12:55.715Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:09.283

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:54:05Z

Weaknesses