CVE-2026-45278

3.3 LOW

Published: June 01, 2026 Modified: June 03, 2026

Description

Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8wjr-5cg8-4w73

Source: security-advisories@github.com

Vendor Advisory

https://github.com/nextcloud/user_oidc/pull/1273

Source: security-advisories@github.com

Issue Tracking Patch

https://hackerone.com/reports/3464925

Source: security-advisories@github.com

Permissions Required

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

3.3 / 10.0

EPSS (Exploit Probability)

0.0%

3th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-601

Affected Vendors

nextcloud

Related CVEs

CVE-2026-9278 N/A

CVE-2026-8935 N/A

CVE-2026-8386 N/A

CVE-2026-8385 N/A

CVE-2026-12223 5.5