Nextcloud Files Android PIN bypass via back button before 33.1.0: CVE-2026-45153 June 2026

Nextcloud: PIN bypass in PassCodeActivity via back button
Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.

Vulnerability Analysis

CVE-2026-45153 can be exploited with physical access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:

PHYSICAL

Attack Complexity:

HIGH

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

What is an authentification Vulnerability?

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVE-2026-45153 has been classified to as an authentification vulnerability or weakness.

Nextcloud Files Android PIN bypass via back button before 33.1.0
CVE-2026-45153 Published on June 1, 2026

Vulnerability Analysis

Weakness Type

What is an authentification Vulnerability?

Affected Versions

Nextcloud Files Android PIN bypass via back button before 33.1.0CVE-2026-45153 Published on June 1, 2026

Vulnerability Analysis

Weakness Type

What is an authentification Vulnerability?

Affected Versions

Nextcloud Files Android PIN bypass via back button before 33.1.0
CVE-2026-45153 Published on June 1, 2026