CVE-2026-45279

Nextcloud: Limited path traversal via template API if using `{lang}` in config

Assigner: GitHub_M
Reserved: 11.05.2026 Published: 01.06.2026 Updated: 02.06.2026

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 4.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	nextcloud
Product	security-advisories
Versions	Version >= 31.0.0, < 31.0.14 is affected Version >= 32.0.0, < 32.0.4 is affected

Vendor

nextcloud

Product

security-advisories

Versions

Version >= 31.0.0, < 31.0.14 is affected
Version >= 32.0.0, < 32.0.4 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

CVE-2026-45279 PUBLISHED

Nextcloud: Limited path traversal via template API if using `{lang}` in config

Metrics

Product Status

References

Problem Types