CVE-2022-31131

MEDIUM

Nextcloud mail <1.12.2 - Info Disclosure

Title source: llm

Description

Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com)

References (3)

Core 3

Core References

Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhv7-5mhv-299j

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://github.com/nextcloud/mail/pull/6600

Patch, Third Party Advisory x_refsource_misc

https://github.com/nextcloud/mail/pull/6600/commits/6dd2527be8d4f6788b449c8a8f5577628b990605

Scores

CVSS v3 5.4

EPSS 0.0015

EPSS Percentile 35.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639 CWE-287

Status published

Products (1)

nextcloud/nextcloud_mail < 1.12.2

Published Jul 06, 2022

Tracked Since Feb 18, 2026