CVE-2026-45278

LOW 3.3

Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass

CVSS Score

3.3

EPSS Score

0.0%

EPSS Percentile

0th

Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.

CWE	CWE-601
Vendor	nextcloud
Product	security-advisories
Published	Jun 1, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for nextcloud security-advisories

Be the first to know when new low vulnerabilities affecting nextcloud security-advisories are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

nextcloud / security-advisories

>= 6.1.0, < 8.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8wjr-5cg8-4w73 github.com: https://github.com/nextcloud/user_oidc/pull/1273 hackerone.com: https://hackerone.com/reports/3464925