CVE-2026-45264
Published:June 01, 2026
Updated:June 07, 2026
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4.
Affected Packages
https://github.com/nextcloud/groupfolders.git (GITHUB):
Affected version(s) >=v21.0.0 <v21.0.4Fix Suggestion:
Update to version v21.0.4https://github.com/nextcloud/groupfolders.git (GITHUB):
Affected version(s) >=v20.1.0 <v20.1.11Fix Suggestion:
Update to version v20.1.11https://github.com/nextcloud/groupfolders.git (GITHUB):
Affected version(s) >=v18.1.0 <v18.1.12Fix Suggestion:
Update to version v18.1.12https://github.com/nextcloud/groupfolders.git (GITHUB):
Affected version(s) >=v17.0.0 <v17.0.15Fix Suggestion:
Update to version v17.0.15https://github.com/nextcloud/groupfolders.git (GITHUB):
Affected version(s) >=v19.1.0 <v19.1.16Fix Suggestion:
Update to version v19.1.16Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Access Control
EPSS
Base Score:
0.02