Nextcloud ACL Rename Permission Bypass Vulnerability Disclosed
Severity: Medium (Score: 45.9)
Sources: exploit-intel.com, cve.akaoma.com, vuldb.com, Feedly, db.gcve.eu
Published: · Updated:
Keywords: before, nextcloud, permission, open, source, content, collaboration
Severity indicators: rce, pla, rat, CVE:CVE-2026-45264, CVE:CVE-2026-45264
Summary
A new vulnerability, CVE-2026-45264, has been identified in Nextcloud, an open-source content collaboration platform. This flaw affects versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4. Users with READ and CREATE permissions, but lacking UPDATE permissions, can rename files in team folders, potentially leading to unauthorized file modifications. The vulnerability has been assigned a CVSS score of 4.3, indicating a medium severity level. Patches have been released in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4. Organizations using affected versions are advised to update immediately to mitigate risks. The issue was published on June 1, 2026, and has been reported across multiple cybersecurity platforms. Key Points: • CVE-2026-45264 allows unauthorized file renaming in Nextcloud team folders. • Affected versions include Nextcloud 17.0.0 to 21.0.3; patches are available. • The vulnerability has a CVSS score of 4.3, indicating medium severity.
Detailed Analysis
**Impact** Nextcloud users running versions 17.0.0 up to but not including 17.0.15, 18.0.0 up to 18.1.12, 19.0.0 up to 19.1.16, 20.0.0 up to 20.1.11, and 21.0.0 up to 21.0.4 are affected. The vulnerability allows users with READ and CREATE permissions, but without UPDATE permissions, to rename files in team folders, potentially impacting collaborative workflows and file integrity. No specific sectors, geographies, or data volumes are detailed in the sources. **Technical Details** The vulnerability (CVE-2026-45264) is an ACL rename permission bypass affecting Nextcloud team folders. Exploitation requires a user with READ and CREATE permissions but lacking UPDATE rights to rename files unauthorizedly. The CVSS 3.1 base score is 4.3 (Medium), with an attack vector of network (AV:N), low attack complexity (AC:L), and requires low privileges (PR:L) without user interaction (UI:N). No malware, tools, or IOCs are reported. **Recommended Response** Apply patches to affected Nextcloud versions by upgrading to 17.0.15, 18.1.12, 19.1.16, 20.1.11, or 21.0.4 immediately. Review and restrict user permissions on team folders to minimize exposure. Monitor file rename activities in team folders for unauthorized changes. No additional detection signatures or indicators are currently available.
Source articles (6)
- CVE-2026-45264 - Exploits & Severity — Feedly · 2026-06-01
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 2… - CVE-2026-45264 AKAOMA CVE VULNERABILITIES / 3h Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4. — cve.akaoma.com · 2026-06-01
4.3 /10 Medium Risk The vulnerability CVE-2026-45264 could compromise system integrity but typically requires user interaction to be exploited. The vulnerability CVE-2026-45264 could compromise system… - CVE-2026-45264: Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames [MEDIUM] CVSS 4.3 Exploit Intelligence — Recent CVEs / 3h Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename — exploit-intel.com · 2026-06-01
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 2… - Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized F... CVE: New / 4h Nextcloud is an open source content collaboration platform. — cve.threatint.eu · 2026-06-01
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 2… - CVE-2026-45264 | Nextcloud Team Folders up to 21.0.3 access control (GHSA-wx2x-822r-rvmf) VulDB Recent Entries / 3h A vulnerability described as critical has been identified in Nextcloud Team Folders up to 17.0.14/18.1.11/19.1.15/20.1.10/21.0.3 . This affects an unknown function. Such manipulation leads to improper access controls. This vulnerability is traded as CVE-2026-45264 . The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended. — vuldb.com · 2026-06-01
- cve-2026-45264 Most recent entries from cvelistv5 / 4h Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames — db.gcve.eu · 2026-06-01
Timeline
- 2026-06-01 — CVE-2026-45264 published: Nextcloud vulnerability disclosed, allowing unauthorized file renaming by users with limited permissions.
- 2026-06-01 — Patches released for affected versions: Nextcloud released updates for versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4 to address the vulnerability.
- 2026-06-01 — CVSS score assigned: The vulnerability received a CVSS score of 4.3, categorizing it as medium risk.
CVEs
Related entities
- CWE-862 - Missing Authorization (Cwe)
- cve.org (Domain)
- hackerone.com (Domain)
- nvd.nist.gov (Domain)
- Nextcloud (Platform)
- ACL Rename Permission Bypass In Team Folders (Vulnerability)