Description
Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gv5w-8q25-785v
Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/server/pull/28078
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1271052
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-17
Scores
CVSS v3
8.1
EPSS
0.0033
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-306
Status
published
Products (1)
nextcloud/nextcloud_server
< 20.0.12
Published
Sep 07, 2021
Tracked Since
Feb 18, 2026