CVE-2026-45810

Nextcloud: Propfind requests for file comments allowed to load comments for other files

CVSS 6.8 MEDIUMEPSS 0.3%CWE-639

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.8EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

01 jun 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Produtos afetados

nextcloud · security-advisories

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-285v-p9x9-cjhj https://github.com/nextcloud/server/pull/56982 https://hackerone.com/reports/3425534