How is CVE-2026-45156 exploited?

Network reachability (required): The attacker must reach the Nextcloud login endpoint over the network to deliver the malicious ID4me authority response. Authentication (not-required): No account or credentials on the target Nextcloud instance are needed before exploitation begins. Victim interaction (required): The victim must initiate or be directed through the ID4me login flow, making this a social-engineering or phishing-assisted attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental factors beyond controlling or spoofing the ID4me authority.

What is the impact of CVE-2026-45156?

A successful attacker gains access to the impersonated user's stored files, shared documents, and collaboration data. The attacker can modify, overwrite, or delete files and content owned by the victim account. If the impersonated account holds administrative privileges in Nextcloud, the attacker inherits those privileges and can reconfigure the instance or access other users' data.

Back to search

HIGHCVE-2026-45156Published 2026-06-01Modified 2026-06-03CNA GitHub_M

CVE-2026-45156: Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC

Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Authentication bypass in Nextcloud User OIDC allows a malicious ID4me authority to impersonate any user without presenting a valid identity. The flaw is reachable over the network, requires no attacker authentication, but does require the victim to interact with a crafted login flow, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:R). Successful exploitation gives an attacker full read and write access to the victim's Nextcloud account. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment fix versions are confirmed published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle the affected nextcloud/user_oidc component.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and is capable of weighting that score against each environment's compliance policy to determine urgency; findings are then routed to the team inbox configured for the affected workload inside each customer organization.

Available

Patch

Because no fix versions have been confirmed upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed fix is published. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a patch is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Nextcloud login endpoint over the network to deliver the malicious ID4me authority response.
AuthenticationNot required
No account or credentials on the target Nextcloud instance are needed before exploitation begins.
Victim interactionRequired
The victim must initiate or be directed through the ID4me login flow, making this a social-engineering or phishing-assisted attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental factors beyond controlling or spoofing the ID4me authority.

Blast Radius

A successful attacker gains access to the impersonated user's stored files, shared documents, and collaboration data.
The attacker can modify, overwrite, or delete files and content owned by the victim account.
If the impersonated account holds administrative privileges in Nextcloud, the attacker inherits those privileges and can reconfigure the instance or access other users' data.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published, HarborGuard continuously monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment confirmed fix versions appear upstream. In the interim, teams running the affected nextcloud/user_oidc versions (0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, or 6.0.0 to before 6.4.0) should consider disabling ID4me login support via feature flag or Nextcloud admin settings if that login method is not in active use, and apply network-policy controls to restrict which identity providers can reach the OIDC callback endpoint. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically once the upstream patch is confirmed, with no manual steps required.

See how HarborGuard automates this

Affected packages

nextcloud / security-advisories
>= 0.3.0, < 3.1.0 · >= 5.0.0, < 5.1.0 · >= 6.0.0, < 6.4.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

Metrics

Get notified