cbcvebase.

Nextcloud Server vulnerabilities

189 known vulnerabilities affecting nextcloud/nextcloud_server.

Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15

Vulnerabilities

Page 3 of 10
CVE-2018-16466P3HIGHCVSS 8.1fixed in 12.0.11≥ 13.0.0, < 13.0.6+2 more2018-10-30
CVE-2018-16466 [HIGH] CWE-284 CVE-2018-16466: Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens.
nvd
CVE-2026-45285P3MEDIUMCVSS 6.4≥ 32.0.0, < 32.0.9≥ 33.0.0, < 33.0.32026-06-01
CVE-2026-45285 [MEDIUM] CWE-862 CVE-2026-45285: Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, a Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that ex
nvd
CVE-2020-8259P3HIGHCVSS 8.1fixed in 20.0.0vFixed in 20.0.02020-11-16
CVE-2020-8259 [HIGH] CWE-522 CVE-2020-8259: Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an att Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.
nvd
CVE-2020-8183P3HIGHCVSS 7.5fixed in 18.0.6≥ 19.0.0, < 19.0.1+1 more2020-11-02
CVE-2020-8183 [HIGH] CWE-256 CVE-2020-8183: A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it wa A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
nvd
CVE-2026-45282P3MEDIUMCVSS 6.5≥ 32.0.0, < 32.0.9≥ 33.0.0, < 33.0.3+5 more2026-06-01
CVE-2026-45282 [MEDIUM] CWE-284 CVE-2026-45282: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared direc
nvd
CVE-2020-8121P3HIGHCVSS 8.1fixed in 13.0.9≥ 14.0.0, < 14.0.5+2 more2020-02-04
CVE-2020-8121 [HIGH] CWE-284 CVE-2020-8121: A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.
nvd
CVE-2026-45690P3MEDIUMCVSS 5.9≥ 32.0.0, < 32.0.9≥ 33.0.0, < 33.0.3+3 more2026-06-01
CVE-2026-45690 [MEDIUM] CWE-287 CVE-2026-45690: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials
nvd
CVE-2024-52523P3MEDIUMCVSS 6.5≥ 25.0.0, < 25.0.13.14≥ 26.0.0, < 26.0.13.10+4 more2024-11-15
CVE-2024-52523 [MEDIUM] CWE-200 CVE-2024-52523: Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator de Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Ser
nvd
CVE-2023-39963P3HIGHCVSS 7.8≥ 20.0.0, < 20.0.14.15≥ 21.0.0, < 21.0.9.13+6 more2023-08-10
CVE-2023-39963 [HIGH] CWE-284 CVE-2023-39963: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwo
nvd
CVE-2023-48239P3HIGHCVSS 7.1≥ 20.0.0, < 20.0.14.16≥ 21.0.0, < 21.0.9.13+6 more2023-11-21
CVE-2023-48239 [HIGH] CWE-284 CVE-2023-48239: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server,
nvd
CVE-2023-39952P3MEDIUMCVSS 6.5≥ 22.0.0, < 22.2.10.13≥ 23.0.0, < 23.0.12.8+4 more2023-08-10
CVE-2023-39952 [MEDIUM] CWE-284 CVE-2023-39952: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud
nvd
CVE-2024-52515P3MEDIUMCVSS 6.5≥ 24.0.0, < 24.0.12.15≥ 25.0.0, < 25.0.13.10+4 more2024-11-15
CVE-2024-52515 [MEDIUM] CWE-706 CVE-2024-52515: Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.
nvd
CVE-2026-45691P3MEDIUMCVSS 5.9≥ 32.0.0, < 32.0.9≥ 33.0.0, < 33.0.3+3 more2026-06-01
CVE-2026-45691 [MEDIUM] CWE-287 CVE-2026-45691: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access
nvd
CVE-2020-8295P3HIGHCVSS 7.5fixed in 20.0.0vFixed in 20.0.02021-01-26
CVE-2020-8295 [HIGH] CWE-400 CVE-2020-8295: A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when re A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.
nvd
CVE-2023-25818P3HIGHCVSS 7.1≥ 21.0.0, < 21.0.9.10≥ 22.0.0, < 22.2.10.10+3 more2023-03-27
CVE-2023-25818 [HIGH] CWE-307 CVE-2023-25818: Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resou
nvd
CVE-2020-8139P3MEDIUMCVSS 6.5≥ 16.0.0, < 16.0.9≥ 17.0.0, < 17.0.4+2 more2020-03-20
CVE-2020-8139 [MEDIUM] CWE-284 CVE-2020-8139: A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-down A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.
nvd
CVE-2023-28644P3HIGHCVSS 7.5≥ 25.0.0, < 25.0.32023-03-30
CVE-2023-28644 [HIGH] CWE-400 CVE-2023-28644: Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch befor Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is upgraded to 25.0.3. There are no known workarounds for this v
nvd
CVE-2021-22877P3MEDIUMCVSS 6.5fixed in 20.0.6vFixed in 20.0.62021-03-03
CVE-2021-22877 [MEDIUM] CWE-284 CVE-2021-22877: A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials f A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.
nvd
CVE-2020-8138P3MEDIUMCVSS 6.5fixed in 15.0.14≥ 16.0.0, < 16.0.7+2 more2020-03-20
CVE-2020-8138 [MEDIUM] CWE-918 CVE-2020-8138: A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 al A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.
nvd
CVE-2026-45810P3MEDIUMCVSS 6.8≥ 31.0.0, < 31.0.12≥ 32.0.0, < 32.0.3+10 more2026-06-01
CVE-2026-45810 [MEDIUM] CWE-639 CVE-2026-45810: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0
nvd
Nextcloud Server vulnerabilities | cvebase