Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
AnalysisAI
Two-factor authentication bypass in Nextcloud Server 32.0.0-32.0.8 and 33.0.0-33.0.2 allows an authenticated attacker who possesses a valid user password to fully circumvent 2FA protections and gain unauthorized account access. During the login sequence, Nextcloud creates a temporary session token after credential validation but before the second factor is enforced; this token was not restricted from use in HTTP Basic Authentication or Bearer-header flows, enabling replay to authenticated API endpoints and effectively nullifying the 2FA control. Vendor-released patches exist as 32.0.9 and 33.0.3; no public exploit identified at time of analysis, though the fix PR makes the exploit mechanism technically transparent.
Technical ContextAI
Nextcloud Server is a self-hosted PHP collaboration platform. The vulnerability resides in lib/private/User/Session.php, specifically within the logClientIn() and tryTokenLogin() methods. CWE-287 (Improper Authentication) accurately captures the root cause: the authentication subsystem failed to enforce a critical distinction between token types. The PublicKeyToken class internally distinguishes TEMPORARY_TOKEN (issued transiently after password validation, before 2FA completion), PERMANENT_TOKEN, and ONETIME_TOKEN (the legitimate token types for API and HTTP Basic Auth access). The flaw allowed a TEMPORARY_TOKEN to authenticate HTTP Basic Auth and Bearer-header requests without ever satisfying the 2FA challenge. The published fix in PR #59758 introduces explicit type-gating in two locations: logClientIn() now rejects any PublicKeyToken that is not PERMANENT_TOKEN or ONETIME_TOKEN, and tryTokenLogin() explicitly blocks TEMPORARY_TOKEN tokens arriving via a non-cookie source (i.e., Basic Auth or Authorization header). The CPE reported is cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:* as catalogued under the GitHub advisory program.
RemediationAI
Vendor-released patches are available and should be applied immediately. Nextcloud Server should be upgraded to version 32.0.9 or 33.0.3. Nextcloud Enterprise Server customers should upgrade to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 depending on their deployed branch. The upstream code fix is documented in GitHub PR #59758 (https://github.com/nextcloud/server/pull/59758) and the authoritative security advisory is at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jgcj-v42r-9922. If immediate patching is not feasible, a targeted compensating control is to block or restrict HTTP Basic Authentication and Bearer-header token requests at the reverse proxy or WAF layer; however, this will break legitimate API clients including DAV sync clients, mobile apps, and third-party integrations that use app tokens, and requires careful testing before deployment. Disabling 2FA entirely is not a mitigation - it simply removes the control being bypassed. There is no rate-limiting or network-layer compensating control that addresses the token-type confusion at the application layer.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33716