Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
AnalysisAI
Unauthorized file injection in the Nextcloud end-to-end encryption application (versions 1.15.0-1.18.x) allows a low-privileged user possessing a valid E2EE files drop share link to write files into other E2EE-encrypted folders owned by the same share owner. The impact is strictly integrity-limited - confidentiality is unaffected and existing files cannot be read or modified - consistent with the CVSS score of 3.5 (Low). No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; it was responsibly disclosed via HackerOne report #3304830.
Technical ContextAI
The vulnerability resides in MetaDataController.php within Nextcloud's end_to_end_encryption application. The root cause, CWE-639 (Authorization Bypass Through User-Controlled Key), stems from the original getOwnerId() method resolving share ownership solely from a shareToken without verifying that the caller-supplied fileId parameter fell within the scope of that share. A valid file drop token - which should only authorize writes to its specifically shared E2EE folder - could therefore be submitted alongside an arbitrary fileId referencing a different E2EE folder owned by the same user, bypassing the intended folder scope boundary. The fix introduced in PR #1395 replaces getOwnerId() with getFileDropOwnerId(), which enforces four explicit guards: (1) the share must carry CREATE permission, (2) the share root must be a Folder node, (3) that folder must be encrypted, and (4) the requested fileId must equal the share root or be a descendant node returned by getFirstNodeById() - preventing any out-of-scope folder targeting. Affected CPE: cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade the Nextcloud end-to-end encryption app to the vendor-released patched versions: 1.15.4, 1.16.3, 1.17.1, 1.18.1, or 2.0.0-rc.7, selecting the branch that corresponds to your current deployment. The upstream source fix is documented in PR #1395 at https://github.com/nextcloud/end_to_end_encryption/pull/1395 and the full vendor advisory is at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p3qw-7gwx-wg24. If immediate patching is not feasible, a targeted compensating control is to disable or revoke all end-to-end encrypted files drop shares (i.e., create-only share links targeting E2EE folders) until the patch is applied - this eliminates the attack vector entirely since the exploit requires a valid drop link as its entry point. The trade-off is that external collaborators lose the ability to submit files via drop links until patching is complete.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33677