{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0.3.0"
              },
              {
                "fixed": "3.1.0"
              },
              {
                "introduced": "5.0.0"
              },
              {
                "fixed": "5.1.0"
              },
              {
                "introduced": "6.0.0"
              },
              {
                "fixed": "6.4.0"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "e4f152c1bd3e3bb51e8434b4dfb5850712d77271"
            },
            {
              "fixed": "a291ea5500abf549798399e8cea13396af8d7303"
            },
            {
              "introduced": "48af954cb7456d4d6f4aeece9bb2908e8184fa3a"
            },
            {
              "fixed": "b2fef06293b26fa1085faf75e59f0e370ea86494"
            },
            {
              "introduced": "1053b625796f9bc80ae9947fd22b2fb953dbf70a"
            },
            {
              "fixed": "3427640c101bfa3b0466ee3d7f1d8b5f54113bf3"
            }
          ],
          "repo": "https://github.com/nextcloud/user_oidc",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-qqgv-fqwp-mjpp"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45156.json"
  },
  "details": "Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.",
  "id": "CVE-2026-45156",
  "modified": "2026-07-15T01:49:01.208973905Z",
  "published": "2026-06-01T16:38:46.470Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3489490"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45156.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgv-fqwp-mjpp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45156"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nextcloud/user_oidc/pull/1285"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC"
}