Description
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
Published: 2026-06-01
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nextcloud versions 1.3.6 through 8.3.x contained an improper condition in the User OIDC LdapService, allowing LDAP users that had been deleted to still authenticate via the OIDC application. This flaw effectively bypasses the intended access control check and permits credentials that should no longer be valid to be accepted. The resulting impact is that an attacker could gain access to a deleted user’s account, potentially retrieving stored documents, messages, or other sensitive data, and may create a foothold for further lateral movement within the Nextcloud instance.

Affected Systems

The vulnerability affects the Nextcloud open‑source content collaboration platform for any deployment using the User OIDC app with LDAP integration. All releases from version 1.3.6 up to, but not including, version 8.4.0 are susceptible. Users on 8.4.0 or later are not impacted because the patch was applied in that release.

Risk and Exploitability

With a CVSS score of 4.6 the vulnerability is classified as moderate. The exploit is relatively low cost because it requires only the ability to present valid credentials for a user that has been deleted from LDAP, and the attack vector is via the publicly reachable OIDC endpoints, meaning a remote attacker with knowledge of the credentials could execute it. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, so there is no evidence of widespread exploitation yet. Nonetheless, the possibility of unauthorized access warrants prompt remediation.

Generated by OpenCVE AI on June 1, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud to version 8.4.0 or newer to apply the vendor patch that corrects the LDAP deletion check in the User OIDC LdapService
  • If upgrading immediately is not possible, disable or remove the OIDC plugin until a patched version is deployed to prevent the described authentication bypass
  • Regularly review authentication logs for unexpected OIDC sign‑ins from users marked as deleted and block any suspicious IP addresses

Generated by OpenCVE AI on June 1, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
Title Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T16:57:56.210Z

Reserved: 2026-05-11T18:41:13.158Z

Link: CVE-2026-45284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:50.670

Modified: 2026-06-01T19:16:50.670

Link: CVE-2026-45284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:45:25Z

Weaknesses