3.5
CVE-2026-45159
- EPSS 0.2%
- Veröffentlicht 01.06.2026 17:17:09
- Zuletzt bearbeitet 01.06.2026 18:14:29
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
Mögliche Gegenmaßnahme
End-to-End Encryption: * No workaround available
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellernextcloud
≫
Produkt
security-advisories
Version
>= 1.15.0, < 1.15.4
Status
affected
Version
>= 1.16.0, < 1.16.3
Status
affected
Version
>= 1.17.0, < 1.17.1
Status
affected
Version
>= 1.18.0, < 1.18.1
Status
affected
VulnDex Vulnerability Enrichment
Weitere Schwachstelleninformationen
SystemNextcloud App
≫
Produkt
End-to-End Encryption
Version
>= 1.15.0, < 1.15.4
Version
>= 1.16.0, < 1.16.3
Version
>= 1.17.0, < 1.17.1
Version
>= 1.18.0, < 1.18.1
Version
>= 2.0.0, < 2.0.0-rc.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.101 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 3.5 | 2.1 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p3qw-7gwx-wg24
https://github.com/nextcloud/end_to_end_encryption/pull/1395
https://hackerone.com/reports/3304830
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p3qw-7gwx-wg24