Description
Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.
Published: 2026-06-01
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a SQL injection flaw in the Tables app that allows an authenticated attacker to inject up to 20‑byte SQL statements via a stored column type parameter. When carefully crafted, this injection can bypass the length restriction and lead to execution of arbitrary SQL commands, potentially exposing or modifying sensitive data in the Nextcloud database. The weakness is classified as CWE‑89, reflecting its reliance on inadequate input validation when forming SQL queries.

Affected Systems

Nextcloud servers running any of the affected releases: 0.7.0 through 0.7.6, 0.8.0 through 0.8.9, 0.9.0 through 0.9.7, 1.0.0 through 1.0.3, and any 2.0.0‑earlier build before 2.0.0. Versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0 or later contain the fix, removing the injection vector.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, and the lack of an EPSS score means the likelihood of exploitation is uncertain, but the flaw’s use of a short but versatile SQL payload raises concern. The vulnerability is only exploitable by users who are authenticated and have permission to use the Tables app, implying an internal or privileged‑user threat model. The flaw is not listed in CISA’s KEV catalogue, yet the potential for data exfiltration or tampering warrants urgent attention.

Generated by OpenCVE AI on June 1, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Nextcloud to at least version 0.7.7, 0.8.10, 0.9.8, 1.0.4, or 2.0.0 or later where the injection is fixed.
  • Disable or remove the Tables app from servers that do not require it to eliminate the attack surface.
  • Ensure that only trusted users have access to the Tables app and monitor activity for anomalous SQL queries.

Generated by OpenCVE AI on June 1, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud tables
Vendors & Products Nextcloud
Nextcloud tables

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.
Title Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Nextcloud Tables
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:23:30.574Z

Reserved: 2026-05-12T17:48:47.879Z

Link: CVE-2026-45545

cve-icon Vulnrichment

Updated: 2026-06-02T15:23:25.361Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:52.020

Modified: 2026-06-04T16:50:00.957

Link: CVE-2026-45545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:53:39Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')