Nextcloud LDAP Auth Bypass for Deleted Users (pre-8.4)
CVE-2026-45284 Published on June 1, 2026

Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.

NVD

Vulnerability Analysis

CVE-2026-45284 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-45284 has been classified to as an Authorization vulnerability or weakness.


Affected Versions

nextcloud security-advisories Version >= 1.3.6, < 8.4.0 is affected by CVE-2026-45284