Severity by source
AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
AnalysisAI
PIN authentication bypass in the Nextcloud Files Android app (versions 33.0.0 through 33.0.x) allows a physically present attacker to circumvent the app's passcode lock screen by pressing the Android back button immediately after the host device is unlocked. The PassCodeActivity failed to intercept back-navigation events during PIN verification, granting direct file access without completing authentication. No public exploit identified at time of analysis and no CISA KEV listing; risk is tightly constrained by the physical access vector. Patched in version 33.1.0 via upstream PR #16896.
Technical ContextAI
The vulnerability resides in PassCodeActivity.kt within the Nextcloud Android client. Android's activity back-stack navigation was not overridden during the ACTION_CHECK phase (PIN verification), meaning the system's default back-press behavior would pop PassCodeActivity off the stack and render the underlying app accessible. The fix registers an OnBackPressedCallback via onBackPressedDispatcher that intercepts back-press events: when the activity is in ACTION_CHECK mode the callback returns immediately, blocking navigation; otherwise it disables itself and delegates to the default dispatcher. This is a CWE-287 (Improper Authentication) defect - the authentication gate existed but could be trivially circumvented through a standard OS interaction. CPE identifies the affected component as cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:* scoped to the Android client build 33.0.0-33.0.x.
RemediationAI
Upgrade the Nextcloud Files Android app to version 33.1.0, which resolves the issue by registering an OnBackPressedCallback in PassCodeActivity to block back-navigation during PIN verification. The patch is documented in vendor advisory GHSA-2w7v-5299-3hw5 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2w7v-5299-3hw5) and delivered via PR #16896 (https://github.com/nextcloud/android/pull/16896). As a compensating control for organizations unable to update immediately, disabling the in-app PIN/passcode feature removes the vulnerable code path entirely; however, this eliminates the app-layer lock, so defenders must then rely solely on the device-level screen lock - acceptable only if device-level authentication is enforced by MDM policy with strong PIN or biometric requirements. No other workarounds have been confirmed in the available data.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33672