Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Published: 2026-06-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Nextcloud Server, pre‑2FA session cookies can be reused as Bearer tokens to authenticate against DAV endpoints, allowing an attacker to read or modify files. This flaw represents a credential‑reuse weakness (CWE‑287) that bypasses mandatory two‑factor authentication and gives the user full access to the contents of the affected account.

Affected Systems

The vulnerability affects Nextcloud Server releases from 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. Enterprise Server versions 31.0.14.5, 30.0.17.9, and 29.0.16.16 are also impacted.

Risk and Exploitability

With a CVSS score of 5.9 the flaw is considered moderate. No EPSS score is available, and it is not currently listed in CISA’s KEV catalog. An attacker with a pre‑2FA session cookie can use that token to access DAV endpoints without completing TOTP, thereby gaining read/write privileges. The exploit is relatively straightforward once the session cookie is obtained, and the vulnerability does not allow arbitrary code execution but does compromise confidentiality and integrity of stored data.

Generated by OpenCVE AI on June 1, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud Server or Enterprise Server to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 so that the session‑token bypass is fixed.
  • Configure Nextcloud to enforce two‑factor authentication on all DAV API access, ensuring that no session cookie can be reused as a bearer token.
  • Monitor server logs for attempts to access DAV endpoints with unauthorized bearer tokens and investigate any suspicious activity.

Generated by OpenCVE AI on June 1, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextcloud
Nextcloud nextcloud Server
Vendors & Products Nextcloud
Nextcloud nextcloud Server

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Title Nextcloud: Bypass of second factor authentication on DAV endpoints
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Nextcloud Nextcloud Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:10:18.647Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45691

cve-icon Vulnrichment

Updated: 2026-06-01T19:10:13.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:52.673

Modified: 2026-06-04T16:50:50.660

Link: CVE-2026-45691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:53:35Z

Weaknesses