CVE-2026-45285

Name of the Vulnerable Software and Affected Versions Nextcloud versions 32.0.0 through 32.0.8 Nextcloud versions 33.0.0 through 33.0.2

Description When a user shares a folder or file with a Nextcloud Team containing an external member (a person added via email without a Nextcloud account), the system automatically generates a public link for that member. This link is sent via email and grants permissions to read, write, delete, reshare, and download data based on the Team's access level. Because the link is not displayed in the folder's share section, the owner is unaware of its existence and cannot revoke it through the standard sharing interface. An attacker who intercepts or receives this link can access and manipulate the shared data without authentication.

Recommendations Update to version 32.0.9 for versions in the 32.x branch. Update to version 33.0.3 for versions in the 33.x branch.