CVE-2026-45283
Published:June 01, 2026
Updated:June 07, 2026
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
Affected Packages
https://github.com/nextcloud/files_lock.git (GITHUB):
Affected version(s) >=v32.0.0 <v32.0.2Fix Suggestion:
Update to version v32.0.2https://github.com/nextcloud/files_lock.git (GITHUB):
Affected version(s) >=v31.0.0 <v31.0.4Fix Suggestion:
Update to version v31.0.4https://github.com/nextcloud/files_lock.git (GITHUB):
Affected version(s) =v33.0.0 <v33.0.1Fix Suggestion:
Update to version v33.0.1Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Authentication
EPSS
Base Score:
0.01