CVE-2026-45156

Nextcloud vulnerable component: User OIDC handling; a missing signature verification allowed an ID4me authority to impersonate any user. Affected versions: 0.3.0–before 3.1.0, 5.0.0–before 5.1.0, and 6.0.0–before 6.4.0. Root cause: absent JWT/signature check in OIDC flow as described in the CVE d...

EUVD-2026-33675

Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions...

CVE-2026-45156 Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC

Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions...

CVE-2024-37886 Nextcloud user_oidc's ID4me does not validate signature or expiration

useroidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud useroidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0...

CVE-2024-37312 Nextcloud user_oidc app's ID4me feature is available even when disabled

useroidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to...

CVE-2024-37312 Nextcloud user_oidc app's ID4me feature is available even when disabled

useroidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to...

CVE-2024-37312

The CVE concerns Nextcloud’s user_oidc OpenID Connect backend, where the ID4me endpoint lacks access control, enabling account registration and potential access to data available to all registered users. Publicly documented details come from Nextcloud advisories and HackerOne report, which confir...

ID4me does not validate signature or expiration

None...

Nextcloud: ID4me feature of OpenID connect app available even when disabled

The useroidc app in Nextcloud allowed the registration of new accounts by accessing the /apps/useroidc/id4me endpoint, even when the ID4Me feature was disabled. This was caused by the setting to enable/disable ID4Me having no effect on the accessibility of the controllers...

Nextcloud: ID4ME does not validate signature or expiration

The ID4ME did not validate the signature or expiration, leading to a security vulnerability...