6.3

CVE-2026-45283

Nextcloud: Files Lock app allows users to lock and unlock files of other users

Files Lock app allows users to lock and unlock files of other users

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
Mögliche Gegenmaßnahme
Server: * No workaround available
Enterprise Server: * No workaround available
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudNextcloud Server SwEdition- Version >= 32.0.0 < 32.0.2
NextcloudNextcloud Server SwEdition- Version >= 33.0.0 < 33.0.1
NextcloudNextcloud Server SwEditionenterprise Version >= 31.0.0 < 31.0.14.4
NextcloudNextcloud Server SwEditionenterprise Version >= 32.0.0 < 32.0.2
NextcloudNextcloud Server SwEditionenterprise Version >= 33.0.0 < 33.0.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud
Produkt Server
Version >= 32.0.0, < 32.0.2
Version >= 33.0.0, < 33.0.1
SystemNextcloud
Produkt Enterprise Server
Version >= 31.0.0, < 31.0.14.4
Version >= 32.0.0, < 32.0.2
Version >= 33.0.0, < 33.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.112
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com 6.3 2.8 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4chh-6mhf-p4jj
Vendor Advisory
https://github.com/nextcloud/files_lock/pull/1007
Patch
Issue Tracking
https://hackerone.com/reports/3301553#
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4chh-6mhf-p4jj
Third Party Advisory