CVE-2026-45691
published 2026-06-01CVE-2026-45691: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA…
PriorityP338medium5.9CVSS 3.1
AVNACHPRLUINSUCLIHAN
EPSS
0.29%
20.7th percentile
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextcloud | nextcloud_server | >= 29.0.0 < 29.0.16.16 | 29.0.16.16 |
| nextcloud | nextcloud_server | >= 30.0.0 < 30.0.17.9 | 30.0.17.9 |
| nextcloud | nextcloud_server | >= 31.0.0 < 31.0.14.5 | 31.0.14.5 |
| nextcloud | nextcloud_server | >= 32.0.0 < 32.0.9 | 32.0.9 |
| nextcloud | nextcloud_server | >= 33.0.0 < 33.0.3 | 33.0.3 |
| nextcloud | security-advisories | — | — |
| nextcloud | security-advisories | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
ghsa7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Nextcloud Server up to 32.0.8/33.0.2 DAV Endpoint improper authentication (GHSA-mp6x-g55j-w9jw)
vuldb·2026-06-01·CVSS 5.9
CVE-2026-45691 [MEDIUM] Nextcloud Server up to 32.0.8/33.0.2 DAV Endpoint improper authentication (GHSA-mp6x-g55j-w9jw)
A vulnerability was found in Nextcloud Server up to 32.0.8/33.0.2. It has been classified as critical. This affects an unknown part of the component DAV Endpoint. Performing a manipulation results in improper authentication.
This vulnerability was named CVE-2026-45691. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
RAGAS has SSRF via Multi-Modal Faithfulness Collections Module
ghsa·2026-04-20·CVSS 7.5
CVE-2026-6587 [HIGH] CWE-918 RAGAS has SSRF via Multi-Modal Faithfulness Collections Module
RAGAS has SSRF via Multi-Modal Faithfulness Collections Module
A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-45691 nextcloud: Nextcloud Server: Two-factor authentication bypass via session cookie reuse [fedora-all]
bugzilla·2026-06-01·CVSS 5.9
CVE-2026-45691 [MEDIUM] CVE-2026-45691 nextcloud: Nextcloud Server: Two-factor authentication bypass via session cookie reuse [fedora-all]
CVE-2026-45691 nextcloud: Nextcloud Server: Two-factor authentication bypass via session cookie reuse [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45691 nextcloud: Nextcloud Server: Two-factor authentication bypass via session cookie reuse [epel-all]
bugzilla·2026-06-01·CVSS 5.9
CVE-2026-45691 [MEDIUM] CVE-2026-45691 nextcloud: Nextcloud Server: Two-factor authentication bypass via session cookie reuse [epel-all]
CVE-2026-45691 nextcloud: Nextcloud Server: Two-factor authentication bypass via session cookie reuse [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45691 nextcloud-server: Nextcloud Server: Two-factor authentication bypass via session cookie reuse
bugzilla·2026-06-01·CVSS 5.9
CVE-2026-45691 [MEDIUM] CVE-2026-45691 nextcloud-server: Nextcloud Server: Two-factor authentication bypass via session cookie reuse
CVE-2026-45691 nextcloud-server: Nextcloud Server: Two-factor authentication bypass via session cookie reuse
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
Bugzilla
CVE-2026-6587 vibrantlabsai RAGAS: vibrantlabsai RAGAS: Server-Side Request Forgery via retrieved_contexts argument manipulation
bugzilla·2026-04-20·CVSS 7.5
CVE-2026-6587 [HIGH] CVE-2026-6587 vibrantlabsai RAGAS: vibrantlabsai RAGAS: Server-Side Request Forgery via retrieved_contexts argument manipulation
CVE-2026-6587 vibrantlabsai RAGAS: vibrantlabsai RAGAS: Server-Side Request Forgery via retrieved_contexts argument manipulation
A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.
2026-06-01
Published