CVE-2021-37630
MEDIUMNextcloud Circles < 0.19.5 - Unauthenticated Authorization Bypass via Secret Circle Join
Title source: llmDescription
Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner leaking private information. It is recommended that Nextcloud Circles is upgraded to 0.19.15, 0.20.11 or 0.21.4. There are no workarounds for this issue.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-56j9-3rj4-wvgm
Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/circles/pull/768
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1257624
Scores
CVSS v3
6.5
EPSS
0.0116
EPSS Percentile
63.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-639
Status
published
Products (1)
nextcloud/circles
< 0.19.5
Published
Sep 07, 2021
Tracked Since
Feb 18, 2026