Bug 2484569 (CVE-2026-45282) - CVE-2026-45282 nextcloud: Nextcloud Server: Information disclosure via circumventing link share protections
Summary: CVE-2026-45282 nextcloud: Nextcloud Server: Information disclosure via circum...
Keywords:
Status: NEW
Alias: CVE-2026-45282
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2484572 2484573
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-03 22:34 UTC by OSIDB Bzimport
Modified: 2026-06-03 22:39 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-03 22:34:51 UTC
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5


Note You need to log in before you can comment on or make changes to this bug.