{"id":"CVE-2026-45266","summary":"Nextcloud: Unauthorized force-mute from missing permission check when using internal signaling","details":"Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.","aliases":["GHSA-x75r-65hm-cw35"],"modified":"2026-07-15T01:48:56.568741778Z","published":"2026-06-01T16:39:56.879Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45266.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-284"]},"references":[{"type":"WEB","url":"https://hackerone.com/reports/3636758"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45266.json"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x75r-65hm-cw35"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45266"},{"type":"FIX","url":"https://github.com/nextcloud/spreed/pull/17577"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/spreed","events":[{"introduced":"0"},{"fixed":"e0f6d8f9fa96bdc19c201ad6fe7d891f36d6badb"},{"fixed":"e6e290a1472e64cf385ff9812ec7855bd1c590d5"},{"fixed":"762ccbe88196ef6162d8d5f80dd9a0ef723caa79"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"21.1.10"},{"fixed":"22.0.11"},{"fixed":"23.0.3"}]}}],"versions":["v23.0.2","v22.0.10","v23.0.1","v23.0.0","v21.1.9","v22.0.9","v23.0.0-rc.4","v23.0.0-rc.3","v23.0.0-rc.2","v23.0.0-rc.1","v21.1.8","v22.0.8","v23.0.0-beta.2","v23.0.0-beta.1","v22.0.7","v21.1.7","v22.0.6","v21.1.6","v22.0.5","v22.0.4","v22.0.3","v22.0.2","v22.0.1","v22.0.0","v22.0.0-rc.4","v22.0.0-rc.3","v21.1.5","v22.0.0-rc.2","v22.0.0-rc.1","v22.0.0-beta.2","v21.1.4","v22.0.0-beta.1","v21.1.3","v21.1.2","v21.1.1","v21.1.0","v21.1.0-rc.4","v21.1.0-rc.3","v21.1.0-rc.2","v21.1.0-rc.1","v21.0.2","v21.0.1","v21.0.0","v21.0.0-rc.5","v21.0.0-rc.4","v21.0.0-rc.3","v21.0.0-rc.2","v21.0.0-rc.1","v21.0.0-beta.2","v21.0.0-beta.1","v20.0.0-beta.3","v20.0.0-beta.2","v20.0.0-beta.1","v19.0.0-beta.5","v19.0.0-beta.4","v19.0.0-beta.3","v19.0.0-beta.2","v19.0.0-beta.1","v18.0.0-beta.3","v18.0.0-beta.2","v18.0.0-beta.1","v17.0.0-rc.1","v17.0.0-beta.3","v17.0.0-beta.2","v17.0.0-beta.1","v16.0.0-rc.1","v16.0.0-beta.2","v16.0.0-beta.1","v15.0.0-beta.4","v15.0.0-beta.3","v15.0.0-beta.2","v15.0.0-beta.1","v14.0.0-rc.1","v14.0.0-beta.1","v12.0.0-alpha.3","v12.0.0-alpha.2","v12.0.0-alpha.1","v11.0.0-alpha.4","v11.0.0-alpha.3","v11.0.0-alpha.2","v11.0.0-alpha.1","v10.0.0-rc.1","v10.0.0-beta.2","v10.0.0-beta.1","v9.0.0-beta.1","v8.0.0","v8.0.0-alpha.6","v8.0.0-alpha.5","v8.0.0-alpha.4","v8.0.0-alpha.3","v8.0.0-alpha.2","v8.0.0-alpha.1","v7.0.0-beta.1","v6.0.0-rc.2","v6.0.0-rc.1","v5.99.10","v4.99.5","v4.0.0","v3.99.12","v3.99.11","v3.99.10","v3.99.8","v3.0.1","v3.0.0","v2.9.1","v2.9.0","v2.0.0","v1.2","v1.1.2","v1.0.22","v1.0.21"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45266.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}]}