Listen to this Post
CVE-2026-45284 arises from an improper access control flaw in Nextcloud’s User OIDC app when integrated with LDAP. The root cause is a faulty logic condition in the `LdapService` component responsible for validating whether a user still exists and is enabled. The function `getUserByLoginName` retrieves a user by their login name, but in versions prior to 8.4.0, it fails to properly check the deletion status of LDAP-sourced accounts. Specifically, after a user is deleted from LDAP, the LDAP user backend correctly marks the user as disabled, triggering an internal `deleteUser` event. However, the OIDC `LdapService` does not fully synchronize this deletion state when handling an OIDC authentication request for the same user. The vulnerable code contains a conditional statement that checks for the existence of the user but not for the user’s `enabled` or `deleted` flag. Consequently, when a deleted LDAP user’s credentials are presented to the OIDC endpoint, the service still returns a valid user object, bypassing the intended access control. This allows the attacker to complete the OIDC authentication flow and obtain a valid session token for a non-existent account. The attack vector is remote and over the network, requiring only a set of valid credentials belonging to a previously deleted LDAP user. This condition persists even after the user record has been removed from the local database. An adversary who has obtained such credentials can log in, access stored documents, messages, and other sensitive data, and establish a persistent foothold for lateral movement. The issue has been patched in version 8.4.0 by correcting the conditional check to explicitly verify both the existence and the enabled/deleted status of the user before proceeding with the authentication.
DailyCVE Form:
Platform: Nextcloud
Version: 1.3.6 – 8.3.x
Vulnerability : Improper Access Control
Severity: Moderate (CVSS 4.6)
date: 2026-06-01
Prediction: 2026-06-01 (8.4.0)
What Undercode Say:
Check if running a vulnerable version php occ --version Verify if the User OIDC app is enabled php occ app:list | grep user_oidc Check if LDAP integration is active php occ ldap:show-config Simulate the vulnerable condition (requires a test LDAP user) curl -X POST https://nextcloud.example.com/index.php/apps/user_oidc/auth \ -d "login=deleted_ldap_user&password=testpassword"
Exploit:
- Obtain valid credentials for a user that has been deleted from the LDAP directory.
- Send an authentication POST request to the OIDC endpoint (
/index.php/apps/user_oidc/auth) with the credentials. - Because the flawed `LdapService` does not verify the deletion status, the server returns a successful authentication response.
- The response includes a session cookie or an OIDC token, which the attacker can use to access Nextcloud as the deleted user.
Protection:
Upgrade: Immediately update Nextcloud to version 8.4.0 or later.
Disable OIDC: If upgrading is not possible, disable the User OIDC app (php occ app:disable user_oidc) to block the attack vector.
Network Control: Restrict access to the OIDC endpoint to trusted IP addresses only.
Logging: Monitor authentication logs for successful logins of disabled or deleted LDAP accounts.
Impact:
Unauthorized Access: An attacker can gain full access to a deleted user’s account, including all files, chat messages, calendar entries, and other private data.
Data Breach: Sensitive corporate or personal information stored in Nextcloud can be exfiltrated.
Lateral Movement: The compromised account can be used as a foothold to move laterally and compromise other connected systems or escalate privileges.
Non-Repudiation: Actions performed by the attacker cannot be traced back to a valid, existing user account, complicating forensic analysis.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
