CVE-2026-45278
MEDIUM WAF: Medium
CVSS 6.1
Published: 2026-06-01
CWE-601
Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.
WAF Coverage Analysis
Open Redirect
Medium WAF Coverage
OWASP: A01:2021 Broken Access Control
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| nextcloud | user_oidc | 6.1.0 - 8.2.2 |
References
- github.com (Vendor Advisory)
- github.com (Issue Tracking, Patch)
- hackerone.com (Permissions Required)