Description
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Published: 2026-06-01
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Nextcloud Server, pre‑2FA session cookies can be reused as Bearer tokens to authenticate against DAV endpoints, allowing an attacker to read or modify files. This flaw represents a credential‑reuse weakness (CWE‑287) that bypasses mandatory two‑factor authentication and gives the user full access to the contents of the affected account.

Affected Systems

The vulnerability affects Nextcloud Server releases from 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. Enterprise Server versions 31.0.14.5, 30.0.17.9, and 29.0.16.16 are also impacted.

Risk and Exploitability

With a CVSS score of 5.9 the flaw is considered moderate. No EPSS score is available, and it is not currently listed in CISA’s KEV catalog. An attacker with a pre‑2FA session cookie can use that token to access DAV endpoints without completing TOTP, thereby gaining read/write privileges. The exploit is relatively straightforward once the session cookie is obtained, and the vulnerability does not allow arbitrary code execution but does compromise confidentiality and integrity of stored data.

Generated by OpenCVE AI on June 1, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nextcloud Server or Enterprise Server to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 so that the session‑token bypass is fixed.
  • Configure Nextcloud to enforce two‑factor authentication on all DAV API access, ensuring that no session cookie can be reused as a bearer token.
  • Monitor server logs for attempts to access DAV endpoints with unauthorized bearer tokens and investigate any suspicious activity.

Generated by OpenCVE AI on June 1, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Title Nextcloud: Bypass of second factor authentication on DAV endpoints
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:10:18.647Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45691

cve-icon Vulnrichment

Updated: 2026-06-01T19:10:13.291Z

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:52.673

Modified: 2026-06-01T19:16:52.673

Link: CVE-2026-45691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:45:25Z

Weaknesses