Listen to this Post
Nextcloud is an open-source content collaboration platform. The vulnerability CVE-2026-45285 affects versions 32.0.0 to 32.0.8 and 33.0.0 to 33.0.2. It arises when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account). When this occurs, the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. The link is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team’s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. The vulnerability has been patched in versions 32.0.9 and 33.0.3. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, resulting in a base score of 6.4 (Medium). The weakness is mapped to CWE-862 (Missing Authorization).
DailyCVE Form:
Platform: Nextcloud Server
Version: 32.0.0-32.0.8,33.0.0-33.0.2
Vulnerability : Hidden Public Link
Severity: Medium (CVSS6.4)
date: 2026-06-01
Prediction: 30 April 2026
What Undercode Say:
Check Nextcloud version sudo -u www-data php occ -V List all shares (may not show hidden links) sudo -u www-data php occ sharing:list SQL query to find potentially hidden public links sudo -u www-data php occ db:query "SELECT FROM oc_share WHERE share_type = 3 AND token IS NOT NULL;" Test access to a suspected public link curl -k "https://nextcloud.example.com/s/TOKEN"
Exploit:
- Attacker intercepts or receives the hidden public link via email or network sniffing.
- Attacker uses the link to access the shared folder without authentication.
- Attacker can read, write, delete, reshare, and download all data in the folder.
Protection:
Upgrade to Nextcloud Server version 32.0.9 or 33.0.3 immediately. No workaround is available. Use the following commands to upgrade:
sudo -u www-data php occ upgrade sudo -u www-data php occ maintenance:mode --off
Impact:
Unauthorized access to shared data, data breach, data modification, data deletion, and further sharing of sensitive information.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
