Description
Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.
Published: 2026-06-01
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows a low‑privileged user to force other users’ microphones to be muted while using internal signaling in Nextcloud without a proper permission check. This is an incorrect access control weakness (CWE‑284) that lets an attacker disrupt the audio component of a call, thereby impacting collaboration availability. The vulnerability does not expose data or allow arbitrary code execution; it merely causes a denial of service to selected participants. The attack would not change the overall confidentiality or integrity of the system beyond the audible interruption.

Affected Systems

All Nextcloud installations running a version prior to 21.1.10, 22.0.11, or 23.0.3 that do not have a High‑performance Backend installed are affected. The weakness resides in the Spreed call module of Nextcloud.

Risk and Exploitability

The CVSS score of 3.5 classifies the issue as low severity, and the EPSS score is unavailable, indicating no obvious evidence of widespread exploitation. The flaw is not listed in CISA’s KEV catalog, and no public exploit has been reported. The attack can be carried out by any user who has access to a call and is authenticated to the server; the attacker would need to send a force‑mute request through the internal signaling channel. Because the damage is limited to audio interruption and requires only low‑privileged credentials, the overall risk is considered low for most deployments.

Generated by OpenCVE AI on June 1, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Nextcloud 21.1.10, 22.0.11, 23.0.3 or later where the patch is included.
  • If an upgrade cannot be performed immediately, disable or remove the internal signaling module until a patched version is available.
  • Limit microphone mute control to privileged roles in Nextcloud’s role‑based permission settings so that low‑privileged users cannot execute the force‑mute action.

Generated by OpenCVE AI on June 1, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud spreed
Vendors & Products Nextcloud
Nextcloud spreed

Mon, 01 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.
Title Nextcloud: Unauthorized force-mute from missing permission check when using internal signaling
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Nextcloud Spreed
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T17:40:19.878Z

Reserved: 2026-05-11T18:41:13.156Z

Link: CVE-2026-45266

cve-icon Vulnrichment

Updated: 2026-06-01T17:40:15.423Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:09.827

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:54:00Z

Weaknesses