Nextcloud ACL Rename Permission Bypass Vulnerability Disclosed

A new vulnerability, CVE-2026-45264, has been identified in Nextcloud, an open-source content collaboration platform. This flaw affects versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4. Users with READ and CREATE permissions, but lacking UPDATE permissions, can rename files in team folders, potentially leading to unauthorized file modifications. The vulnerability has been assigned a CVSS score of 4.3, indicating a medium severity level. Patches have been released in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4. Organizations using affected versions are advised to update immediately to mitigate risks. The issue was published on June 1, 2026, and has been reported across multiple cybersecurity platforms.

Key Points: • CVE-2026-45264 allows unauthorized file renaming in Nextcloud team folders. • Affected versions include Nextcloud 17.0.0 to 21.0.3; patches are available. • The vulnerability has a CVSS score of 4.3, indicating medium severity.