CVE-2026-45284

Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm	Mitigation Vendor Advisory
https://github.com/nextcloud/user_oidc/pull/1340	Issue Tracking Patch
https://hackerone.com/reports/3554696	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:user_oidc:*:*:*:*:*:*:*:*

History

03 Jun 2026, 20:28

Type	Values Removed	Values Added
First Time		Nextcloud user Oidc Nextcloud
CWE		NVD-CWE-noinfo
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm - Mitigation, Vendor Advisory
References	~~() https://github.com/nextcloud/user_oidc/pull/1340 -~~	() https://github.com/nextcloud/user_oidc/pull/1340 - Issue Tracking, Patch
References	~~() https://hackerone.com/reports/3554696 -~~	() https://hackerone.com/reports/3554696 - Permissions Required
CPE		cpe:2.3:a:nextcloud:user_oidc::::::::

01 Jun 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-01 19:16

Updated : 2026-06-03 20:28

NVD link : CVE-2026-45284

Mitre link : CVE-2026-45284

CVE.ORG link : CVE-2026-45284

JSON object : View

Products Affected

nextcloud

user_oidc

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2026-45284", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-06-01T19:16:50.670", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/user_oidc/pull/1340", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/3554696", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0."}], "lastModified": "2026-06-03T20:28:42.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:user_oidc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9084CF9A-B03D-4712-8F32-2BFCCA5019D0", "versionEndExcluding": "8.4.0", "versionStartIncluding": "1.3.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}