SQLi via ORDER BY in Nextcloud Tables app 0.9.0-0.9.6, 1.0.0-1.0.1
CVE-2026-45722 Published on June 1, 2026
Nextcloud: Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views
Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.
Vulnerability Analysis
CVE-2026-45722 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a small impact on availability.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2026-45722 has been classified to as a SQL Injection vulnerability or weakness.
Affected Versions
nextcloud security-advisories:- Version >= 0.9.0, < 0.9.7 is affected.
- Version >= 1.0.0, < 1.0.2 is affected.