CVE-2026-45159
Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
CVSS Score
3.5
EPSS Score
0.0%
EPSS Percentile
0th
Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
| CWE | CWE-639 |
| Vendor | nextcloud |
| Product | security-advisories |
| Published | Jun 1, 2026 |
| Last Updated | Jun 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for nextcloud security-advisories
Be the first to know when new low vulnerabilities affecting nextcloud security-advisories are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
nextcloud / security-advisories
>= 1.15.0, < 1.15.4 >= 1.16.0, < 1.16.3 >= 1.17.0, < 1.17.1 >= 1.18.0, < 1.18.1