Description
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq
Third Party Advisory x_refsource_misc
https://github.com/nextcloud/android/pull/9726
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1161401
Scores
CVSS v3
2.2
EPSS
0.0008
EPSS Percentile
23.0%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-732
Status
published
Products (1)
nextcloud/nextcloud
< 3.19.0
Published
Apr 27, 2022
Tracked Since
Feb 18, 2026