8.8
CVE-2026-45284
- EPSS 0.19%
- Veröffentlicht 01.06.2026 16:57:56
- Zuletzt bearbeitet 03.06.2026 20:28:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate
Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
Mögliche Gegenmaßnahme
User OIDC: * Disable app user_oidc
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.091 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 4.6 | 1.2 | 3.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm
https://github.com/nextcloud/user_oidc/pull/1340
https://hackerone.com/reports/3554696
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm