Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7.
AnalysisAI
Broken share revocation in Nextcloud Forms versions 4.3.0 through 5.2.7 leaves former collaborators with persistent read access to uploaded respondent files after removal. The vulnerability stems from a two-layer share architecture where removing a collaborator deleted the Forms-layer share record but silently preserved the underlying Nextcloud Files-layer share on the uploaded files folder - meaning removed users retained filesystem-level access to sensitive form submission files. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the low-complexity network vector (CVSS AV:N/AC:L/PR:N/UI:N) means a removed collaborator can exploit this passively without any additional action.
Technical ContextAI
Nextcloud Forms implements collaborator access through two coupled share records: a Forms-application share (tracked in the Forms database with permissions like PERMISSION_RESULTS) and a corresponding Nextcloud Files share on the folder where uploaded respondent files are stored. The root cause (CWE-552 - Files or Directories Accessible to Unauthorized Actors) is in ShareApiController.php: when deleteShare() was called, it removed only the Forms-layer share but never invoked shareManager->deleteShare() on the linked Files folder share. The fix in PR #3291 introduces a dedicated removeUploadedFilesShare() helper that queries all Files shares on the form's upload folder and deletes those matching the removed collaborator, and also ensures this cleanup is triggered from the updateShare() path. The CPE cpe:2.3:a:nextcloud:security-advisories is the generic Nextcloud advisory identifier; the specific affected component is the Nextcloud Forms app.
RemediationAI
Upgrade Nextcloud Forms to version 5.2.7, which contains the fix introduced in pull request https://github.com/nextcloud/forms/pull/3291. The patch adds proper cleanup of underlying Files shares when a collaborator with results access is removed. No official workaround is documented by the vendor. As a compensating control for instances that cannot immediately update, administrators can manually audit and revoke Nextcloud Files shares on forms upload folders for any users who have been removed as collaborators - this can be done via the Nextcloud admin share management interface or the occ share:list and share:delete commands. Be aware this is a manual process prone to gaps and should not substitute for patching.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33713