BIT-nextcloud-2026-45690

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/nextcloud/BIT-nextcloud-2026-45690.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-nextcloud-2026-45690
Aliases
Published
2026-07-12T23:48:03.821Z
Modified
2026-07-13T06:26:15.593431947Z
Summary
Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay
Details

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

Database specific
{
    "cpes": [
        "cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / nextcloud

Package

Name
nextcloud
Purl
pkg:bitnami/nextcloud

Severity

  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
32.0.0
Fixed
32.0.9
Introduced
33.0.0
Fixed
33.0.3

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/nextcloud/BIT-nextcloud-2026-45690.json"