CVE-2026-45155

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions 32.0.0 through 32.0.6 Nextcloud Server versions 33.0.0 through 33.0.0 Nextcloud Enterprise Server versions prior to 29.0.16.14 Nextcloud Enterprise Server versions prior to 30.0.17.8 Nextcloud Enterprise Server versions prior to 31.0.14.3 Nextcloud Enterprise Server versions prior to 32.0.7 Nextcloud Enterprise Server versions prior to 33.0.1

Description A missing access check at the API level allows the addition of unknown circles to other circles using their ID. While the default complexity of circle IDs (62^15) makes arbitrary execution unlikely, memberships could be tracked if an ID is obtained from another source.

Recommendations Upgrade Nextcloud Server to version 32.0.7 or 33.0.1. Upgrade Nextcloud Enterprise Server to version 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1.