Nextcloud Files Android PIN bypass via back button before 33.1.0
CVE-2026-45153 Published on June 1, 2026
Nextcloud: PIN bypass in PassCodeActivity via back button
Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
Vulnerability Analysis
CVE-2026-45153 can be exploited with physical access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2026-45153 has been classified to as an authentification vulnerability or weakness.
Affected Versions
nextcloud security-advisories Version >= 33.0.0, < 33.1.0 is affected by CVE-2026-45153Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.