Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1
AnalysisAI
Nextcloud Server's Circles app exposes a missing access control check on the member-add API endpoint, allowing an authenticated user to add an arbitrary circle - identified only by its internal ID - as a member of another circle without verifying that the requesting user has any relationship to the target circle. Affected versions span 32.0.0-32.0.6 and 33.0.0, with Enterprise editions from 29.x through 31.x also impacted. Exploitation is severely constrained by the 62^15 entropy of circle IDs, making the vulnerability practically exploitable only when an attacker has obtained a valid circle ID through a separate information-disclosure path, at which point they could track or infer circle membership relationships. No public exploit exists and this is not listed in CISA KEV.
Technical ContextAI
The Nextcloud Circles app (a social graph and collaboration grouping feature within Nextcloud Server) exposes a REST API via LocalController.php for adding members to circles. The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key): the API accepted a caller-supplied circle ID as the subject of a member-add operation of type TYPE_CIRCLE without performing a server-side access or existence check on that ID. The fix (PR #2401) inserts a call to circleService->getCircle($userId) before proceeding whenever the member type is TYPE_CIRCLE, enforcing that the target circle is resolvable and accessible. Circle IDs carry approximately 62^15 bits of entropy by default, which makes unaided enumeration computationally infeasible, but the API design flaw still constitutes an authorization-by-obscurity anti-pattern. The affected CPE is cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade Nextcloud Server to version 32.0.7 or 33.0.1 (vendor-released patches). Enterprise Server users should upgrade to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7, or 33.0.1 depending on their release track. The upstream fix is available in pull request https://github.com/nextcloud/circles/pull/2401 and is confirmed merged. If immediate upgrade is not feasible, a targeted compensating control is to audit and restrict API access to the Circles member-add endpoints at the reverse proxy or firewall level to authenticated internal network users only, reducing the network-reachable attack surface; however, this trades off legitimate remote collaboration functionality. Additionally, reviewing application and server logs for anomalous circle-member-add API calls referencing circle IDs not associated with the requesting user's visible circles may help detect any prior exploitation attempts.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33674