CVE-2026-45159

Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner

CVSS 3.5 LOWEPSS 0.2%CWE-639

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 3.5EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

01 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/end_to_end_encryption/pull/1395 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p3qw-7gwx-wg24 https://hackerone.com/reports/3304830