Nextcloud Team Folder Rename Bypass (v17-21) Patch v17.0.15/18.1.12/19.1.16/20.1.11/21.0.4
CVE-2026-45264 Published on June 1, 2026
Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4.
Vulnerability Analysis
CVE-2026-45264 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-45264 has been classified to as an Authorization vulnerability or weakness.
Affected Versions
nextcloud security-advisories:- Version >= 17.0.0, < 17.0.15 is affected.
- Version >= 18.0.0, < 18.1.12 is affected.
- Version >= 19.0.0, < 19.1.16 is affected.
- Version >= 20.0.0, < 20.1.11 is affected.
- Version >= 21.0.0, < 21.0.4 is affected.