CVE-2021-32726
HIGHNextcloud Server <19.0.13, 20.011, 21.0.3 - Info Disclosure
Title source: llmDescription
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg
Third Party Advisory x_refsource_misc
https://github.com/nextcloud/server/pull/27532
Permissions Required x_refsource_misc
https://hackerone.com/reports/1202590
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-17
Scores
CVSS v3
7.1
EPSS
0.0055
EPSS Percentile
68.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
CWE-708
Status
published
Products (1)
nextcloud/nextcloud_server
< 19.0.13
Published
Jul 12, 2021
Tracked Since
Feb 18, 2026