Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3
Published: 2026-06-01
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker who has a share token to view the temporary chunk files that are created during a file upload by another user. The flaw is a result of improper authorization (CWE-284) and lets the attacker observe data that should only be accessible to the file owner while the upload is in progress. The impact is a confidentiality compromise of transient data, potentially revealing sensitive information such as filenames and partial file contents.

Affected Systems

Affected products include Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2, as well as Nextcloud Enterprise Server versions 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9, and 33.0.3. Upgrading to the listed patched releases removes the flaw.

Risk and Exploitability

The CVSS score of 6.3 classifies this as a moderate severity flaw, and the EPSS score is not available, which means the probability of exploitation is currently unknown but could be nontrivial given the easy acquisition of share tokens. The flaw is not listed in the CISA KEV catalog. An attacker can exploit it by using an existing share token to access the chunking upload endpoint and download the temporary files. No additional authentication or privilege escalation is required beyond possession of the share token.

Generated by OpenCVE AI on June 1, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official upgrade to Nextcloud Server 32.0.9 or newer, or 33.0.3 or newer if using the 33.x branch.
  • Upgrade Nextcloud Enterprise Server to the corresponding patched release versions (26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9, or 33.0.3).
  • Validate that shared tokens are being used only for intended purposes by enforcing stricter token permissions or monitoring token usage logs to spot abnormal access patterns.

Generated by OpenCVE AI on June 1, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud nextcloud Server
Vendors & Products Nextcloud
Nextcloud nextcloud Server

Mon, 01 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3
Title Nextcloud: Valid share tokens allow to access tempory upload files of share owner
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Nextcloud Nextcloud Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T18:49:19.371Z

Reserved: 2026-05-08T20:44:38.964Z

Link: CVE-2026-45157

cve-icon Vulnrichment

Updated: 2026-06-01T18:49:14.624Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:09.420

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:54:04Z

Weaknesses