Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Published: 2026-06-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Nextcloud Server allows an attacker who knows a user’s password to bypass two‑factor authentication by reusing a transient session token. During the normal login flow a temporary token is created before the second factor challenge, and that token can be extracted and replayed with HTTP Basic Authentication, granting the attacker access to authenticated resources without being challenged for the second factor. The weakness is an authentication bypass (CWE‑287).

Affected Systems

The flaw affects Nextcloud Server community versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. For Nextcloud Enterprise Server the vulnerable releases are 31.0.14.5, 30.0.17.9, 29.0.16.16, 32.0.9 and 33.0.3. The advisory recommends upgrading to any of the patched releases 32.0.9 or 33.0.3 for the community edition, and to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16 for the Enterprise edition.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, and the advisory is not listed in the CISA KEV catalog. The exploitation pathway requires an attacker to possess valid user credentials and to obtain or guess the temporary session token that is issued during the standard login flow. Once the token is replayed via HTTP Basic Authentication, the attacker can access any authenticated endpoint with the privileges of the target user. Because the vulnerability hinges on profile credentials and network traffic interception, remote attackers who can reach the web interface or attackers with compromised credentials pose the greatest threat. The absence of an EPSS score means the current likelihood of exploitation is uncertain, but the moderate CVSS score suggests that once the flaw is known, it could be leveraged in targeted attacks.

Generated by OpenCVE AI on June 1, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud Server to the 32.0.9 or 33.0.3 release, or upgrade Nextcloud Enterprise Server to 32.0.9, 33.0.3, 31.0.14.5, 30.0.17.9 or 29.0.16.16.
  • Disable or avoid HTTP Basic Authentication on the Nextcloud web service and enforce HTTPS to prevent token extraction over cleartext.
  • Monitor authentication logs for abnormal Basic Auth attempts and enforce account lockout policies to mitigate credential theft scenarios.

Generated by OpenCVE AI on June 1, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud nextcloud Server
Vendors & Products Nextcloud
Nextcloud nextcloud Server

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Title Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Nextcloud Nextcloud Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T12:49:10.334Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45690

cve-icon Vulnrichment

Updated: 2026-06-02T12:49:07.091Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:52.507

Modified: 2026-06-04T16:50:29.283

Link: CVE-2026-45690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:53:38Z

Weaknesses