CVE-2026-45544

Nextcloud: Information Disclosure of view filter metdata via Broken Sensitive Data Masking in ViewService

CVSS 4.3 MEDIUMEPSS 0.2%CWE-1230

In short

Nextcloud Tables exposes filter criteria details to read-only users who shouldn't see them. This leaks information about how data is being filtered, which could reveal sensitive details about the database structure or filtered content.

Technical detail

CWE-1230 (Broken Sensitive Data Masking) allows read-only users in Nextcloud Tables to access view filter metadata through the ViewService, bypassing intended data protection controls. The vulnerability exists in versions 0.8.0 through 1.0.3; affected systems require upgrade to 1.0.4 or 2.0.0 to remediate the information disclosure.

Summary generated and translated by AI from the official description.

Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vvxm-6jjp-m9mp https://github.com/nextcloud/tables/pull/2312 https://hackerone.com/reports/3483753