BIT-nextcloud-2026-45691

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/nextcloud/BIT-nextcloud-2026-45691.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-nextcloud-2026-45691
Aliases
Published
2026-07-12T23:48:05.001Z
Modified
2026-07-13T06:26:36.427013660Z
Summary
Nextcloud: Bypass of second factor authentication on DAV endpoints
Details

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

Database specific
{
    "cpes": [
        "cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / nextcloud

Package

Name
nextcloud
Purl
pkg:bitnami/nextcloud

Severity

  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
32.0.0
Fixed
32.0.9
Introduced
33.0.0
Fixed
33.0.3

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/nextcloud/BIT-nextcloud-2026-45691.json"