CVE-2026-45156 Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC

Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions...

CVE-2026-45156

Nextcloud vulnerable component: User OIDC handling; a missing signature verification allowed an ID4me authority to impersonate any user. Affected versions: 0.3.0–before 3.1.0, 5.0.0–before 5.1.0, and 6.0.0–before 6.4.0. Root cause: absent JWT/signature check in OIDC flow as described in the CVE d...