CVE-2026-45691 — Nextcloud Server / Enterprise Server: 2FA bypass on WebDAV via pre-authenticated session token reuse

CVE-2026-45691 (CVSS 5.9, Moderate, CWE-287) is a two-factor authentication bypass in Nextcloud Server and Enterprise Server discovered and disclosed via the vendor's GitHub advisory program (Nextcloud GHSA-mp6x-g55j-w9jw, 2026-05-12 · BSI WID-SEC-2026-1517, 2026-05-13). After a user completes password authentication but before the 2FA step, the session cookie issued by Nextcloud can be immediately reused as a Bearer token to authenticate against the WebDAV (dav/) endpoints — dav/files/, CalDAV, and CardDAV — bypassing the enforced 2FA gate entirely. An attacker who has compromised only the first factor (via password spray, credential stuffing, phishing, or infostealer) can directly access and exfiltrate the victim's files, calendar, and contacts without ever touching the 2FA challenge. No PoC is publicly available; no in-the-wild exploitation reported. Affected: Nextcloud Server 32.0.0–33.0.2 and 33.0.0 branches; Enterprise Server 29.0, 30.0, 31.0, 32.0, 33.0 series. Patched: Server 33.0.3 / 32.0.9; Enterprise Server 33.0.3 / 32.0.9 / 31.0.14.5 / 30.0.17.9 / 29.0.16.16. MITRE ATT&CK: T1078 (Valid Accounts), T1550.001 (Use Alternate Authentication Material: Application Access Token). Administrators should upgrade and audit WebDAV access logs for unexpected client sessions from IPs inconsistent with the user's normal access patterns. The same May 2026 Nextcloud advisory batch includes CVE-2026-45690 (SQL injection in column-type parameter, Moderate), a JWT signature-verification bypass in the Nextcloud user OIDC app (Moderate), and a calendar attendee suggestion endpoint information disclosure (High) — apply all patches simultaneously.