Bug 2483830 (CVE-2026-45690)
| Summary: | CVE-2026-45690 nextcloud-server: Nextcloud Server: Authentication bypass allows unauthorized access by circumventing two-factor authentication. | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jon Moroney <jmoroney> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Nextcloud Server. This vulnerability allows a remote attacker, with knowledge of a user's password, to bypass two-factor authentication (2FA) protections. When a user attempts to log in with valid credentials on a 2FA-enabled account, a temporary session token is generated before the second factor challenge. This token can be extracted and replayed using HTTP Basic Authentication, leading to unauthorized access to authenticated parts of the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2483840, 2483841 | ||
| Bug Blocks: | |||
|
Description
Jon Moroney
2026-06-01 21:43:08 UTC
|