Description
Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.
Published: 2026-06-01
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can create specially crafted URLs that cause a user logging in via the user_oidc flow to be redirected to an arbitrary website. This leads to an open redirect condition, allowing phishing or social engineering attacks but no execution or data tampering. The weakness is classified as CWE-601.

Affected Systems

The affected product is Nextcloud, an open source content collaboration platform, for all releases from 6.1.0 up to, but not including, 8.2.2. The vulnerability resides in the user_oidc component that handles OpenID Connect authentication.

Risk and Exploitability

The CVSS score of 3.3 marks this issue as low severity. The EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating a low likelihood of widespread exploitation. The attack vector is inferred to be social engineering: an attacker sends a victim a malicious link that triggers the redirect during login.

Generated by OpenCVE AI on June 1, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud to version 8.2.2 or later, which contains the fix for the open redirect bug.
  • If an immediate upgrade is not feasible, disable or temporarily block the user_oidc authentication method to prevent exploitation.
  • Configure Nextcloud’s redirect URI validation to accept only whitelisted, trusted domains, ensuring no arbitrary redirects are permitted.

Generated by OpenCVE AI on June 1, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.
Title Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T16:51:55.339Z

Reserved: 2026-05-11T18:41:13.157Z

Link: CVE-2026-45278

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:49.823

Modified: 2026-06-01T19:16:49.823

Link: CVE-2026-45278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:45:25Z

Weaknesses