CVE-2024-37882

HIGH

Nextcloud Server < 26.0.13 - Improper Access Control

Title source: rule

Description

Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.

References (3)

[Issue Tracking] https://hackerone.com/reports/2289425

[Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq

[Patch] https://github.com/nextcloud/server/pull/44339

Scores

CVSS v3 8.1

EPSS 0.0032

EPSS Percentile 54.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284 CWE-281

Status published

Products (2)

nextcloud/nextcloud_server 23.0.0 - 23.0.12.17

nextcloud/nextcloud_server 26.0.0 - 26.0.13

Published Jun 14, 2024

Tracked Since Feb 18, 2026