CVE-2026-45156

Source
https://cve.org/CVERecord?id=CVE-2026-45156
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45156.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45156
Aliases
  • GHSA-qqgv-fqwp-mjpp
Published
2026-06-01T16:38:46.470Z
Modified
2026-07-15T01:49:01.208973905Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC
Details

Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45156.json",
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/nextcloud/user_oidc

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/user_oidc
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.3.0"
        },
        {
            "fixed": "3.1.0"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.1.0"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.4.0"
        }
    ]
}

Affected versions

v0.*
v0.3.0
v0.3.1
v0.3.2
v1.*
v1.0.0
v1.1.0
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v3.*
v3.0.0
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v6.*
v6.0.0
v6.0.1
v6.1.0
v6.1.1
v6.1.2
v6.2.0
v6.2.1
v6.3.0
v6.3.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45156.json"