Back

Fedora NextCloud Update Addresses JSON Tampering and DoS Vulnerabilities

Severity: High (Score: 72.0)

Sources: Linuxsecurity

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: nextcloud, json, tampering, cve-2026-42044, axios, invisible, fedora

Severity indicators: CVE:CVE-2026-42044

Summary

On June 5, 2026, Fedora released updates for NextCloud addressing two critical vulnerabilities: CVE-2026-42044 and CVE-2026-44167. CVE-2026-42044 involves JSON response tampering via prototype pollution in Axios, while CVE-2026-44167 allows denial of service through untrusted ASN.1 file loading in phpseclib. Both vulnerabilities affect NextCloud versions prior to 33.0.4. Users are advised to upgrade to version 33.0.4 to mitigate these risks. The vulnerabilities were published on April 24 and May 12, 2026, respectively. The updates can be installed using the 'dnf' package manager. Immediate action is recommended to prevent potential exploitation. Key Points: • Two critical vulnerabilities in NextCloud require immediate updates to version 33.0.4. • CVE-2026-42044 allows JSON response tampering via Axios, posing security risks. • CVE-2026-44167 enables denial of service through untrusted ASN.1 file loading.

Detailed Analysis

**Impact** Users of Fedora 43 and 44 running NextCloud versions prior to 33.0.4 are affected by vulnerabilities that enable JSON response tampering and denial of service (DoS) attacks. This impacts organizations relying on NextCloud for file sharing and collaboration, potentially disrupting operations and risking data integrity. No specific sectors or geographic regions are detailed in the sources. **Technical Details** Two main vulnerabilities are addressed: CVE-2026-42044, involving invisible JSON response tampering via prototype pollution in Axios, and CVE-2026-44167, a DoS vulnerability through untrusted ASN.1 file loading in phpseclib. Exploitation occurs during data processing stages, manipulating JSON responses or triggering service crashes. No malware or additional infrastructure details were provided. Indicators of compromise (IOCs) are not specified. **Recommended Response** Apply the NextCloud 33.0.4 update available via Fedora’s dnf package manager immediately using the provided advisories (FEDORA-2026-30881a5be7 for Fedora 44 and FEDORA-2026-e187104307 for Fedora 43). Monitor for unusual JSON response behaviors and service disruptions indicative of prototype pollution or ASN.1 parsing issues. Harden configurations related to JSON handling and ASN.1 file processing where possible.

Source articles (2)

  • Fedora 43 nextcloud 33.0.4 Critical JSON Tampering DoS CVE-2026 — Linuxsecurity · 2026-06-05
    [ 1 ] Bug #2467998 - CVE-2026-42044 nextcloud: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget [epel-all] [ 2 ] Bug #2468008 - CVE-2026-42044 nextcloud: Axios: Invisible JSON R…
  • Fedora 44 NextCloud Update Denial of Service JSON Tampering 2026 — Linuxsecurity · 2026-06-05
    [ 1 ] Bug #2467998 - CVE-2026-42044 nextcloud: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget [epel-all] [ 2 ] Bug #2468008 - CVE-2026-42044 nextcloud: Axios: Invisible JSON R…

Timeline

  • 2026-04-24 — CVE-2026-42044 published: NextCloud vulnerability discovered allowing JSON response tampering via Axios.
  • 2026-05-12 — CVE-2026-44167 published: NextCloud vulnerability identified enabling denial of service through ASN.1 file loading.
  • 2026-06-05 — Fedora releases updates for NextCloud: Fedora advises users to upgrade to NextCloud version 33.0.4 to address critical vulnerabilities.

CVEs

  • CVE-2026-42044
  • CVE-2026-44167

Related entities

  • Denial of Service (Attack Type)
  • Cwe-502 - Deserialization Of Untrusted Data (Cwe)
  • Axios (Platform)
  • Nextcloud (Platform)
  • Phpseclib (Platform)
  • Fedora (Company)
  • Prototype Pollution (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed