Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
AnalysisAI
Two-factor authentication bypass in Nextcloud Server 32.0.0-32.0.8 and 33.0.0-33.0.2 enables a partially-authenticated attacker to access DAV endpoints (WebDAV, CalDAV, CardDAV) with full read/write privileges by reusing a pre-2FA intermediate session cookie as a Bearer token. The TEMPORARY_TOKEN issued after successful password authentication but before TOTP completion was not restricted to cookie-based requests, allowing it to be replayed in an HTTP Authorization: Bearer header against DAV APIs - entirely circumventing mandatory two-factor authentication enforcement. No public exploit has been identified at time of analysis, though a HackerOne report (3573399) documents the issue; vendor-confirmed patches are available.
Technical ContextAI
Nextcloud implements a two-phase authentication flow: after password verification, the server issues a TEMPORARY_TOKEN (a session-scoped PublicKeyToken) that persists until the user completes the second factor (e.g., TOTP). The vulnerability resides in lib/private/User/Session.php within the tryTokenLogin() method, which is responsible for authenticating DAV and API requests via Bearer token. Prior to the fix, this method lacked a type-check discriminating between TEMPORARY_TOKEN (session cookies, pre-2FA) and PERMANENT_TOKEN or ONETIME_TOKEN (app tokens, which legitimately authenticate DAV). As confirmed by PR #59758, the code introduced a $tokenFromCookie boolean flag and added an explicit guard rejecting PublicKeyTokens of type TEMPORARY_TOKEN when presented via the Bearer Authorization header rather than a session cookie. CWE-287 (Improper Authentication) applies precisely: the system accepted a credential that was not yet fully authenticated as if it were, skipping the second-factor gate.
RemediationAI
Vendor-released patches are available: Nextcloud Server should be upgraded to 32.0.9 or 33.0.3. Nextcloud Enterprise Server users should upgrade to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16 depending on the branch in use. The full advisory is published at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mp6x-g55j-w9jw and the source fix is in PR #59758 at https://github.com/nextcloud/server/pull/59758. If immediate patching is not possible, a specific compensating control is to disable or restrict network access to DAV endpoints (WebDAV at /remote.php/dav, CalDAV, CardDAV) at the reverse proxy or firewall layer - this prevents Bearer token replay against those endpoints but will break calendar sync, contact sync, and file access for all clients including legitimate ones, representing a significant service disruption trade-off. There is no configuration toggle to disable pre-2FA session token Bearer acceptance without patching; the fix is exclusively a code-level change.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33718