Description
Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
Published: 2026-06-01
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious user who possesses a files drop link to upload files into any other end‑to‑end encrypted folder owned by the link’s target, even though the user cannot read or modify those files. This bypasses the intended isolation of encrypted folders and is classified as CWE‑639, a privilege‑escalation via insufficient access control.

Affected Systems

Affected versions are Nextcloud 1.15.0‑1.15.3, 1.16.0‑1.16.2, 1.17.0‑1.17.0, and 1.18.0‑1.18.0. The issue was fixed in 1.15.4, 1.16.3, 1.17.1, 1.18.1, and the release candidate 2.0.0‑rc.7 and later.

Risk and Exploitability

The CVSS score of 3.5 indicates low to moderate severity, and the vulnerability requires only possession of a valid files drop link, which can be easily shared. An attacker does not need any special privileges or knowledge beyond the link, so the attack vector is remote via the web interface. Although the exploit does not grant read access to other users’ files, it permits an attacker to inject malicious or misleading content into encrypted folders. The vulnerability is not listed in the CISA KEV catalog and no EPSS score is available, suggesting limited known exploitation.

Generated by OpenCVE AI on June 1, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud to a version that contains the patch (1.15.4 or later, 1.16.3 or later, 1.17.1 or later, 1.18.1 or later, or 2.0.0‑rc.7 and later).
  • If an upgrade is not immediately possible, disable or remove upload‑enabled drop links for encrypted folders until the patch is applied.
  • Restrict the creation of drop links to trusted users and ensure the upload option is only enabled for users who require it.
  • Audit and review uploads to encrypted folders for unexpected or malicious files and configure alerts as needed.

Generated by OpenCVE AI on June 1, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud end To End Encryption
Vendors & Products Nextcloud
Nextcloud end To End Encryption

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
Title Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Nextcloud End To End Encryption
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:30:25.192Z

Reserved: 2026-05-08T20:44:38.965Z

Link: CVE-2026-45159

cve-icon Vulnrichment

Updated: 2026-06-01T19:30:20.748Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:09.550

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:54:02Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key