CVE-2026-45543

Source
https://cve.org/CVERecord?id=CVE-2026-45543
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45543.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45543
Aliases
  • GHSA-q4fw-6jf8-5vhh
Published
2026-06-01T17:00:48.861Z
Modified
2026-07-08T08:12:34.912264155Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share
Details

Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-552"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45543.json"
}
References

Affected packages

Git / github.com/nextcloud/forms

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/forms
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.3.0"
        },
        {
            "fixed": "5.2.7"
        }
    ],
    "cpe": "cpe:2.3:a:nextcloud:forms:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v4.*
v4.3.0
v5.*
v5.0.0
v5.0.0-alpha.0
v5.0.0-alpha.1
v5.0.0-alpha.2
v5.0.0-alpha.3
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0
v5.2.0
v5.2.0-beta.0
v5.2.0-beta.1
v5.2.0-beta.2
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45543.json"