8.8

CVE-2026-45284

Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate

Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate

Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
Mögliche Gegenmaßnahme
User OIDC: * Disable app user_oidc
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudUser Oidc Version >= 1.3.6 < 8.4.0
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt User OIDC
Version >= 1.3.6, < 8.4.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.19% 0.091
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 4.6 1.2 3.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm
Vendor Advisory
Mitigation
https://github.com/nextcloud/user_oidc/pull/1340
Patch
Issue Tracking
https://hackerone.com/reports/3554696
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm
Third Party Advisory