5.3

CVE-2026-45543

Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share

Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share

Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7.
Mögliche Gegenmaßnahme
Forms: * Disable app Forms
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudForms Version >= 4.3.0 < 5.2.7
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Forms
Version >= 4.3.0, < 5.2.7
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.182
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-552 Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q4fw-6jf8-5vhh
Vendor Advisory
Mitigation
https://github.com/nextcloud/forms/pull/3291
Patch
Issue Tracking
https://hackerone.com/reports/3617352
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q4fw-6jf8-5vhh
Third Party Advisory