Nextcloud EE File Drop Bypass (1.15.01.18.1)
CVE-2026-45159 Published on June 1, 2026
Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
Vulnerability Analysis
CVE-2026-45159 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-45159 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Affected Versions
nextcloud security-advisories:- Version >= 1.15.0, < 1.15.4 is affected.
- Version >= 1.16.0, < 1.16.3 is affected.
- Version >= 1.17.0, < 1.17.1 is affected.
- Version >= 1.18.0, < 1.18.1 is affected.