HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45545Published Modified CNA GitHub_M

CVE-2026-45545: Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution

Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SQL injection in the Nextcloud Tables app affects versions 0.7.0 through several release branches up to 1.0.x. The vulnerability is reachable over the network by an authenticated attacker with a low-privilege account, with no victim interaction required, though exploitation involves high attack complexity. Successful exploitation lets an attacker execute arbitrary SQL queries against the underlying database, enabling data extraction or modification. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream fix versions are confirmed in distributed packages.

HarborGuard Coverage

Detection

Detection for CVE-2026-45545 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Nextcloud Tables app. Any image found running an affected version (0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, or 1.0.0 to before 1.0.4) is flagged automatically in the pipeline scan results.

Available
Triage

HarborGuard scores this finding at CVSS 8.2 HIGH and surfaces it accordingly in each customer's triage queue, weighted against that environment's compliance policy to prioritize findings by business context. Routing rules within each organization determine which team or inbox receives the alert, so the right owner sees it without manual sorting.

Available
Patch

Because no upstream fix versions have been confirmed as available in distributed packages yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fixed package is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The Tables app endpoint is exposed over the network, so an attacker must be able to reach the Nextcloud instance remotely to deliver the injection payload.

  • AuthenticationRequired

    A low-privilege account with access to the Nextcloud Tables app is sufficient; no administrative rights are needed.

  • Victim interactionNot required

    The injection is stored and triggered server-side, so no user needs to click a link or take any action for the payload to execute.

  • Attack complexityDetail

    Exploitation is rated high complexity because the attacker must carefully craft input to bypass a 20-byte SQL fragment length limit, likely requiring multiple attempts or chained techniques to break out of the restriction.

Blast Radius

  • An attacker reads arbitrary rows from the Nextcloud database, including stored file metadata, user records, and session-related data.
  • An attacker modifies persisted database rows, altering file references, user settings, or application state.
  • The scope of impact extends beyond the Tables app itself because the injected queries run in the database context shared by other Nextcloud components (CVSS scope change: Changed).

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored on every ingest cycle because no patched packages have been published yet. In the meantime, customers can apply compensating controls through HarborGuard network policies, such as restricting egress from the Nextcloud container to limit which database hosts it can reach, and isolating the Tables app endpoint behind additional authentication layers if the platform supports feature-flag gating. Where compliance policy permits, HarborGuard will automatically queue a patched-image rebuild, run regression tests, and open a PR against affected workloads the moment upstream ships a fixed release across any of the affected branches (0.7.7, 0.8.10, 0.9.8, 1.0.4, or 2.0.0). Customers who want earlier notice can configure advisory-watch alerts so they are notified as soon as HarborGuard observes a fix in the upstream feed.

See how HarborGuard automates this
Affected packages
  • nextcloud / security-advisories
    >= 0.7.0, < 0.7.7 · >= 0.8.0, < 0.8.10 · >= 0.9.0, < 0.9.8 · >= 1.0.0, < 1.0.4
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
References