Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team’s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3.
AnalysisAI
Nextcloud's Circles (Teams) sharing feature silently generates unauthenticated public access links when folders are shared with a Team containing external email-only members, links which are never surfaced in the sharing UI and cannot be revoked by the folder owner. Affected are Nextcloud versions 32.0.0-32.0.8 and 33.0.0-33.0.2 with the Circles app in use. Any party who receives or intercepts the emailed link obtains full read, write, delete, reshare, and download access to the shared folder without a Nextcloud account, and the folder owner has no visibility or revocation path through normal interfaces. No public exploit identified at time of analysis; the issue was disclosed via HackerOne.
Technical ContextAI
The vulnerability resides in the Nextcloud Circles app (also marketed as Teams), which provides group-based sharing across Nextcloud. External members - users identified only by email address who lack Nextcloud accounts - are a supported member type in a Circle. The root cause, classified under CWE-862 (Missing Authorization), is that the ShareByCircleProvider's create() method automatically assigned a share token (equivalent to a public-link token) to every circle share record in the oc_share database table when an external member was present. This token was never rendered in the sharing UI, leaving the folder owner unaware of its existence. The token granted access equivalent to the Team's full permission set (read, write, delete, reshare, download), bypassing the expected Nextcloud account authentication. The PR diff at github.com/nextcloud/circles/pull/2454 confirms the fix: token generation was removed from ShareByCircleProvider::create(), and a live migration class RemoveShareTokens was introduced to NULL out all existing tokens for TYPE_CIRCLE shares in the database on upgrade.
RemediationAI
Upgrade Nextcloud to version 32.0.9 or 33.0.3, which contain the patched Circles app. The upgrade automatically executes the RemoveShareTokens live migration, which NULLs all existing share tokens for TYPE_CIRCLE shares in the oc_share table in batches of 1000 rows, thereby invalidating any pre-existing invisible public links - no manual revocation is required post-upgrade. The upstream code change is documented at https://github.com/nextcloud/circles/pull/2454 and the advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r3xh-x86g-hw4m. As an immediate workaround prior to patching, administrators can disable the addition of external email-only members to Circles via Nextcloud admin settings; this prevents new invisible links from being generated but does not revoke tokens already created. Note that disabling external members will break existing collaboration workflows for any Teams currently using them. Alternatively, administrators can directly query the oc_share table and NULL the token column for all rows where share_type matches TYPE_CIRCLE, replicating the migration manually, though this approach carries database modification risk and should be tested in a non-production environment first.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33709