CVE-2026-45156

HIGH NVD

CVSS Score 8.1

Severity HIGH

Published Jun 01, 2026

Vendor unknown

Description

Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgv-fqwp-mjpp
https://github.com/nextcloud/user_oidc/pull/1285
https://hackerone.com/reports/3489490