Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4.
AnalysisAI
Rename permission bypass in Nextcloud's team folder (groupfolders) feature allows authenticated low-privileged users holding READ and CREATE permissions to rename files in team folders even when UPDATE permission is explicitly denied. Affecting Nextcloud versions 17.0.0 through 21.0.3, the flaw originates from a single-character bitwise operator error in ACLStorageWrapper.php - a & used instead of | when evaluating combined permission flags effectively nullifies the UPDATE permission check. No public exploit identified at time of analysis; vendor-released patches are available across all affected version branches.
Technical ContextAI
The vulnerability resides in the groupfolders (team folders) plugin's lib/ACL/ACLStorageWrapper.php, specifically in the rename() method's ACL permission check. Nextcloud uses bitmask constants to represent permissions (READ, CREATE, UPDATE, etc.); combining them correctly requires bitwise OR (|) to check that a user holds all required permissions. The defective code used bitwise AND (&) between PERMISSION_UPDATE and PERMISSION_READ, which - since these are distinct non-overlapping bit flags - evaluates to zero, causing checkPermissions() to receive a trivially-satisfied operand and bypass the UPDATE requirement entirely. CWE-284 (Improper Access Control) is the accurate root cause class: the access control boundary between CREATE and UPDATE permissions is not correctly enforced at the storage wrapper layer. The CPE string cpe:2.3:a:nextcloud:security-advisories covers the Nextcloud application suite as reported by NVD.
RemediationAI
Upgrade Nextcloud to one of the vendor-patched releases: 17.0.15, 18.1.12, 19.1.16, 20.1.11, or 21.0.4, which incorporate the corrected bitwise OR operator in ACLStorageWrapper.php via groupfolders PR #4361 (https://github.com/nextcloud/groupfolders/pull/4361). Full vendor advisory is at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx2x-822r-rvmf. If an immediate upgrade cannot be applied, the most targeted compensating control is to audit team folder ACL configurations and remove CREATE permission from any user who does not also hold UPDATE permission - this eliminates the exploitable READ+CREATE-without-UPDATE permission subset, though it restricts legitimate file creation for those users. Alternatively, temporarily revoking groupfolders access for sensitive team folders until the patch is applied eliminates exposure entirely, at the cost of disrupting collaboration workflows.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33671