Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
AnalysisAI
Nextcloud Server's files_lock application failed to enforce file ownership during WebDAV DAV lock and unlock operations, allowing any authenticated low-privilege account to lock or unlock files belonging to other users by referencing their absolute WebDAV paths. Affected releases span Nextcloud Server 32.0.0-32.0.1 and 33.0.0, plus Nextcloud Enterprise Server in the 31.0.x, 32.x, and 33.x lines prior to their respective patches. Compounding the flaw, lock tokens were leaked in server error responses, enabling an attacker to silently remove token-based locks placed by legitimate sync clients - disrupting collaborative workflows without direct file access. No public exploit code or CISA KEV listing exists at time of analysis.
Technical ContextAI
The vulnerability resides in the files_lock app's FileService.php, specifically the getFileFromUri() method. The pre-patch code extracted the $userId directly from the caller-supplied WebDAV URI string using PHP's explode() function: [$root, $userId, $path] = explode('/', trim($uri, '/') . '/', 3). This meant the system trusted the user identifier embedded in the path rather than the authenticated session identity - a classic confused-deputy pattern. The fix enforces session-derived identity: $userId = $this->userSession->getUser()->getUID(), ignoring the path-supplied value entirely. WebDAV LOCK and UNLOCK are standard HTTP extension methods defined in RFC 4918 and are used extensively by Nextcloud desktop sync clients and WebDAV-aware applications for collaborative file access serialization. The root cause is classified as CWE-287 (Improper Authentication): the server authenticated the requesting user but failed to verify authorization over the targeted resource, treating path-parsed identity as equivalent to session identity.
RemediationAI
Upgrade Nextcloud Server to version 32.0.2 or 33.0.1, or Nextcloud Enterprise Server to 31.0.14.4, 32.0.2, or 33.0.1 - all confirmed patched releases per the vendor advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4chh-6mhf-p4jj. The upstream code fix is available in PR #1007 at https://github.com/nextcloud/files_lock/pull/1007. If immediate upgrade is not feasible, administrators should disable the files_lock app via the Nextcloud admin panel; this eliminates the attack surface entirely but also disables WebDAV-based file locking for all sync clients and WebDAV applications, potentially disrupting collaborative workflows that depend on it. Restricting WebDAV endpoint access to trusted IP ranges or requiring VPN authentication reduces exposure but does not eliminate risk since the attacker only requires a valid Nextcloud account - not network privilege escalation.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33708