Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5
Published: 2026-06-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In affected Nextcloud Server releases, an authenticated attacker can bypass password protection or download restrictions on shared text attachments when the share token and the documentId are known. The vulnerability allows the attacker to retrieve attachment files, but not the shared file or folder itself, resulting in a confidentiality breach of attachment content.

Affected Systems

Nextcloud Server versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2 are affected. Enterprise releases also require updates to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. EPSS data is not available, and the issue is not catalogued in KEV, suggesting no widespread exploitation campaigns yet. The attack requires authenticated access to the server and knowledge of a share token plus a documentId, meaning the vector is likely remote through normal web interactions. The vulnerability is limited to attachments and cannot expose whole files or directories.

Generated by OpenCVE AI on June 1, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud Server to the recommended patched releases (33.0.3 or 32.0.9 for Standard; for Enterprise use the corresponding Enterprise releases).
  • After upgrading, consider disabling the ability for authenticated users to download text attachments via the documentId endpoint by restricting the "download attachments" permission in the sharing settings as a temporary measure until the patch can be applied.
  • Conduct an audit of all active file shares to identify any sensitive attachments that are shared without password protection or download restrictions, and modify or revoke those shares accordingly.

Generated by OpenCVE AI on June 1, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5
Title Nextcloud: Logged-in user bypasses share password and download restrictions on Text attachments via documentId leads to unauthorized file access
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:28:48.405Z

Reserved: 2026-05-11T18:41:13.157Z

Link: CVE-2026-45282

cve-icon Vulnrichment

Updated: 2026-06-01T19:28:41.700Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T19:16:50.370

Modified: 2026-06-02T14:00:31.067

Link: CVE-2026-45282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:15:15Z

Weaknesses