CVE-2026-45283— Nextcloud Files Lock 应用允许锁定和解锁其他用户的文件
Possible ATT&CK Techniques 2AI
T1190 · Exploit Public-Facing Application T1484 · Domain or Tenant Policy ModificationAffected Version Matrix 2
| ベンダー | プロダクト | Version Range | ステータス |
|---|---|---|---|
| nextcloud | security-advisories | >= 32.0.0, < 32.0.2 | affected |
>= 33.0.0, < 33.0.1 | affected |
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-45283の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Nextcloud: Files Lock app allows users to lock and unlock files of other users
ソース: NVD (National Vulnerability Database)
脆弱性説明
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
认证机制不恰当
ソース: NVD (National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| nextcloud | security-advisories | >= 32.0.0, < 32.0.2 | - |
II. CVE-2026-45283の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-45283のインテリジェンス情報
请登录查看更多情报信息。
CVE-2026-45283 补丁与修复 (1)
CVE-2026-45283 厂商安全公告 (1)
Same Patch Batch · nextcloud · 2026-06-01 · 26 CVEs total
| CVE-2026-45545 | 8.2 HIGH | Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution |
| CVE-2026-45281 | 8.1 HIGH | Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update |
| CVE-2026-45156 | 8.1 HIGH | Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification |
| CVE-2026-45722 | 7.1 HIGH | Nextcloud: Tables app allows limited SQLi in ORDER BY with malicious sort order argument f |
| CVE-2026-45810 | 6.8 MEDIUM | Nextcloud: Propfind requests for file comments allowed to load comments for other files |
| CVE-2026-45275 | 6.5 MEDIUM | Nextcloud: Authorization bypass in approval feature allows unauthorized file sharing with |
| CVE-2026-45282 | 6.5 MEDIUM | Nextcloud: Logged-in user bypasses share password and download restrictions on Text attach |
| CVE-2026-45267 | 6.5 MEDIUM | Nextcloud: Missing permission check for from submissions |
| CVE-2026-45285 | 6.4 MEDIUM | Nextcloud: Hidden Public Link creation when sharing to a Team External Member |
| CVE-2026-45157 | 6.3 MEDIUM | Nextcloud: Valid share tokens allow to access tempory upload files of share owner |
| CVE-2026-45690 | 5.9 MEDIUM | Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay |
| CVE-2026-45691 | 5.9 MEDIUM | Nextcloud: Bypass of second factor authentication on DAV endpoints |
| CVE-2026-45543 | 5.3 MEDIUM | Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible t |
| CVE-2026-45153 | 4.6 MEDIUM | Nextcloud: PIN bypass in PassCodeActivity via back button |
| CVE-2026-45284 | 4.6 MEDIUM | Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users t |
| CVE-2026-45279 | 4.4 MEDIUM | Nextcloud: Limited path traversal via template API if using `{lang}` in config |
| CVE-2026-45264 | 4.3 MEDIUM | Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames |
| CVE-2026-45286 | 4.3 MEDIUM | Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint |
| CVE-2026-45544 | 4.3 MEDIUM | Nextcloud: Information Disclosure of view filter metdata via Broken Sensitive Data Masking |
| CVE-2026-45159 | 3.5 LOW | Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files i |
Showing 20 of 26 CVEs. View all on vendor page →
IV. 関連脆弱性
同じ製品: security-advisories
- CVE-2026-24754
Kiteworks Secure Data Forms Vulnerable to Cross-site Scripti - CVE-2026-45810
Nextcloud: Propfind requests for file comments allowed to lo - CVE-2026-45722
Nextcloud: Tables app allows limited SQLi in ORDER BY with m - CVE-2026-45691
Nextcloud: Bypass of second factor authentication on DAV end - CVE-2026-45690
Nextcloud: Two-Factor Authentication Bypass via Pending Sess
同じベンダー: nextcloud
- CVE-2026-45810
Nextcloud: Propfind requests for file comments allowed to lo - CVE-2026-45722
Nextcloud: Tables app allows limited SQLi in ORDER BY with m - CVE-2026-45691
Nextcloud: Bypass of second factor authentication on DAV end - CVE-2026-45690
Nextcloud: Two-Factor Authentication Bypass via Pending Sess - CVE-2026-45545
Nextcloud: SQL Injection in Column Type Parameter Allows Arb
同じ弱点: CWE-287
- CVE-2026-10548
NousResearch hermes-agent Credential Pool Synchronization cr - CVE-2026-40964
Cloud Foundry log-cache身份绕过漏洞 - CVE-2026-10288
code-projects Hotel and Tourism Reservation System Admin Log - CVE-2026-45691
Nextcloud: Bypass of second factor authentication on DAV end - CVE-2026-45690
Nextcloud: Two-Factor Authentication Bypass via Pending Sess
V. CVE-2026-45283へのコメント
まだコメントはありません