Description
Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6.
Published: 2026-06-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing permission check that allowed authenticated users to request and read form submissions belonging to other users. This flaw exposes confidential data that should be restricted to the form creator and intended respondents. It is directly linked to information disclosure (CWE‑200) and inadequate authorization checks (CWE‑862).

Affected Systems

The issue applies to the Nextcloud content collaboration platform in all releases prior to 5.2.6. Only instances running those older versions are vulnerable.

Risk and Exploitability

With a CVSS score of 6.5, the severity is moderate. No EPSS score is available, and the vulnerability is not yet listed in CISA’s KEV catalog. The attack can be executed by any authenticated user who can submit forms, so the threat is limited to users with valid credentials but potentially broad if many users can submit forms.

Generated by OpenCVE AI on June 1, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Nextcloud 5.2.6 or later, which restores the missing permission check
  • Review and restrict form‑submission visibility so that only authorized users can view submissions
  • Monitor user activity logs for unusual or unauthorized access to form submissions

Generated by OpenCVE AI on June 1, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud forms
Vendors & Products Nextcloud
Nextcloud forms

Mon, 01 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6.
Title Nextcloud: Missing permission check for from submissions
Weaknesses CWE-200
CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Nextcloud Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T18:12:23.278Z

Reserved: 2026-05-11T18:41:13.156Z

Link: CVE-2026-45267

cve-icon Vulnrichment

Updated: 2026-06-01T18:12:18.796Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:09.963

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:53:59Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-862

    Missing Authorization