Back

Nextcloud CVE-2026-45277: Low-Severity Information Disclosure Vulnerability

Severity: Low (Score: 30.9)

Sources: radar.offseq.com, cve.report, vuldb.com, nvd.nist.gov, Feedly

Published: 2026-06-01 · Updated: 2026-06-02

Keywords: nextcloud, cve-2026-45277, prior, version, approval, authenticated, users

Severity indicators: CVE:CVE-2026-45277, CVE:CVE-2026-45277, CVE:CVE-2026-45277

Summary

CVE-2026-45277 is a low-severity vulnerability affecting Nextcloud versions prior to 2.7.2. Authenticated users could exploit this flaw to determine if arbitrary files are linked to specific approval workflows, potentially exposing sensitive metadata. The vulnerability has a CVSS 3.1 base score of 3.3, indicating limited impact on confidentiality, integrity, and availability. It does not allow for modification or denial of service. The issue has been patched in Nextcloud version 2.7.2, and users are advised to upgrade to this version or later. There are currently no known exploits in the wild. As this is not a cloud service, users must manually apply the update. The vulnerability was published on June 1, 2026. Key Points: • CVE-2026-45277 is a low-severity vulnerability in Nextcloud versions before 2.7.2. • Authenticated users can exploit this flaw to check file approval workflows, risking sensitive information exposure. • Nextcloud version 2.7.2 addresses this vulnerability; users must apply the update manually.

Detailed Analysis

**Impact** Authenticated users of Nextcloud versions prior to 2.7.2 are affected by this vulnerability. The issue exposes limited sensitive metadata related to file approval workflows but does not allow modification or disruption of services. There are no reported incidents or exploits in the wild, and the impact is confined to information disclosure with a low CVSS score of 3.3. No specific sectors, geographies, or user numbers are detailed in the sources. **Technical Details** The vulnerability (CVE-2026-45277) involves an information disclosure flaw (CWE-200) in the security-advisories component of Nextcloud before version 2.7.2. Authenticated users can verify whether arbitrary files are linked to approval workflows, revealing sensitive metadata. The attack vector requires low privileges (authenticated user) and local access; no malware or external infrastructure is associated. No IOCs or active exploitation have been reported. **Recommended Response** Upgrade Nextcloud installations to version 2.7.2 or later to remediate the vulnerability. Since Nextcloud is not a cloud service, users must apply the update manually. Monitor for unusual access patterns to approval workflow metadata and review authentication logs for suspicious activity. No additional detection or blocking indicators are currently available.

Source articles (5)

  • CVE-2026-45277 - Exploits & Severity — Feedly · 2026-06-01
    Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can requ…
  • CVE-2026-45277: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in nextcloud security-advisories Radar - Latest Security Threats / 3h CVE-2026-45277 is a low-severity vulnerability in Nextcloud versions prior to 2. 7. 2 where authenticated users could determine if arbitrary files are linked to specific approval workflows. This exposure of sensitive information does not allow modification or denial of service. The issue has been addressed in Nextcloud version 2. 7. 2. (CVSS: 3 — radar.offseq.com · 2026-06-01
    CVE-2026-45277 is a low-severity vulnerability in Nextcloud versions prior to 2. 7. 2 where authenticated users could determine if arbitrary files are linked to specific approval workflows. This expos…
  • CVE-2026-45277 National Vulnerability Database / 3h Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2. — nvd.nist.gov · 2026-06-01
    This CVE record has recently been published to the CVE List and has been included within the NVD dataset. Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authentica…
  • CVE-2026-45277 | Nextcloud Approval up to 2.7.1 information disclosure (GHSA-h7gm-vgxr-9hcw) VulDB Recent Entries / 2h A vulnerability identified as problematic has been detected in Nextcloud Approval up to 2.7.1 . This vulnerability affects unknown code. The manipulation leads to information disclosure. This vulnerability is listed as CVE-2026-45277 . The attack must be carried out locally. There is no available exploit. You should upgrade the affected component. — vuldb.com · 2026-06-01
  • CVE-2026-45277 CVE Vulnerability Disclosures / 3h Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2. — cve.report · 2026-06-01

Timeline

  • 2026-06-01 — CVE-2026-45277 published: Nextcloud disclosed a low-severity information disclosure vulnerability affecting versions prior to 2.7.2.
  • 2026-06-01 — Vulnerability patched in Nextcloud 2.7.2: Nextcloud released version 2.7.2, which addresses CVE-2026-45277, preventing unauthorized information disclosure.
  • 2026-06-01 — No known exploits reported: As of the publication date, there are no known exploits of CVE-2026-45277 in the wild.

CVEs

  • CVE-2026-45277

Related entities

  • Data Breach (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Nextcloud (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed