CVE-2026-45691EPSS p20.5%

CVE-2026-45691CVE-2026-45691

nextcloud / nextcloud_server

Description

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

Scoring

CVSS 5.9 ()
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS0.29% probability of exploitation · percentile 20.5% · 2026-06-18T12:00:27Z
Last modified2026-06-04

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45690
CVE
CVE-2026-45283
CVE
CVE-2026-45281
CVE
CVE-2026-45810
CVE
CVE-2026-45282
CVE
CVE-2026-45157
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.