HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45722Published Modified CNA GitHub_M

CVE-2026-45722: Nextcloud: Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views

Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A partial SQL injection vulnerability affects the Nextcloud Tables app in versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1. An authenticated attacker who can access the Tables app reaches the flaw over the network by supplying a malicious sort-order argument to a Table View query, injecting content into the ORDER BY clause of the underlying SQL statement. Successful exploitation lets an attacker extract database contents one bit at a time or stall the database with time-delay queries, leaking confidential data and degrading service availability. Fix versions 0.9.7 and 1.0.2 have been identified upstream; however, no patched image rebuild is currently available on HarborGuard as the upstream fix versions have not yet been formally published to advisory feeds, and HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45722 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Nextcloud Tables app. Any image carrying an affected Tables app version (0.9.0 to before 0.9.7, or 1.0.0 to before 1.0.2) will surface as a finding in the relevant registry and pipeline scan results.

Available
Triage

Triage is available with a CVSS v3.1 score of 7.1 (HIGH) applied to each matched finding, and per-environment compliance policy weighting can escalate or adjust priority based on each customer org's defined thresholds. Findings are routed to the appropriate team inbox within the customer org according to configured ownership and policy rules.

Available
Patch

Because no fix versions have been formally published to upstream advisory feeds at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is confirmed. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the patch becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Nextcloud Tables app over the network; the vulnerable endpoint is exposed via the standard Nextcloud HTTP interface.

  • AuthenticationRequired

    Any low-privilege account with access to the Tables app is sufficient; no administrative rights are needed.

  • Victim interactionNot required

    The attacker can exploit the flaw directly by crafting a malicious sort-order request; no action from another user is needed.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions or special environmental prerequisites are required to inject into the ORDER BY clause.

Blast Radius

  • Reads database contents one bit per request using blind SQL injection techniques, enabling slow but systematic extraction of stored data such as table contents, user records, or configuration values.
  • Causes the database to pause execution for attacker-controlled durations via time-delay injection, degrading availability of the Nextcloud instance for legitimate users.
  • Confidentiality impact is high; an attacker with enough requests can reconstruct sensitive stored information from the database.
  • Availability impact is partial; deliberate time-delay queries can slow or disrupt database responsiveness without fully crashing the service.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-45722 is tracked continuously across all customer environments, with image scans matching any Nextcloud Tables app version in the affected ranges. Because no formally published fix version is available from upstream advisory feeds at this time, HarborGuard re-checks the advisory on every ingest cycle. The moment upstream publishes a confirmed fix, a patched-image rebuild will become available automatically, and for customers with auto-remediation enabled, this triggers a rebuild, a regression test run, and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth considering include network-policy isolation to restrict Tables app access to trusted internal users only, egress filtering to limit what the database host can reach, and disabling or restricting Table View sort-order features via application-level feature flags if supported by your Nextcloud deployment.

See how HarborGuard automates this
Affected packages
  • nextcloud / security-advisories
    >= 0.9.0, < 0.9.7 · >= 1.0.0, < 1.0.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
References