CVE-2026-45278

3.3 LOW

Nextcloud is an open source content collaboration platform

Published: 2026-06-01 · Last updated: 2026-06-03

Severity and scoring

CVSS: 3.3 LOW
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-601

Affected products

Vendor	Product
nextcloud	user_oidc

Description

Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45278
[Vendor advisory]https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8wjr-5cg8-4w73
[Patch]https://github.com/nextcloud/user_oidc/pull/1273
[Other]https://hackerone.com/reports/3464925

Related CVEs

Same vendor

CVE-2026-45810 — Nextcloud is an open source content collaboration platform (6.8 MEDIUM)
CVE-2026-45722 — Nextcloud is an open source content collaboration platform (7.1 HIGH)
CVE-2026-45691 — Nextcloud is an open source content collaboration platform (5.9 MEDIUM)
CVE-2026-45690 — Nextcloud is an open source content collaboration platform (5.9 MEDIUM)
CVE-2026-45545 — Nextcloud is an open source content collaboration platform (8.2 HIGH)

Same CWE

CVE-2026-46616 — Umbraco is an ASP.NET CMS (5.4 MEDIUM)
CVE-2026-48856 — Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data
CVE-2026-45566 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (6.1 MEDIUM)
CVE-2026-53440 — Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" secur... (4.3 MEDIUM)
CVE-2026-53437 — Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenk... (4.3 MEDIUM)