Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.
AnalysisAI
Improper access control in Nextcloud Talk's signaling layer allows a low-privileged authenticated user to forcibly mute other participants' microphones during calls on deployments without the High-performance Backend. The vulnerability exists in SignalingController::sendMessages(), which processed 'control' type signaling messages without first validating that the target session (decodedMessage['to']) was a legitimate room participant - allowing session-targeted control commands to reach arbitrary users. No public exploit or CISA KEV listing exists at time of analysis, and real-world impact is limited to call disruption with no data exposure.
Technical ContextAI
The affected component is the Nextcloud Talk application (internally named 'spreed'), which implements WebRTC-based calling using a server-side signaling controller. The vulnerable code in lib/Controller/SignalingController.php processes signaling messages via sendMessages(), routing 'control' message types between session participants. CWE-284 (Improper Access Control) applies: the original code validated the sender's session but failed to verify that decodedMessage['to'] - the target session - actually belonged to a participant in the same room before forwarding control commands. The fix introduces a getParticipantBySession() lookup for the target session and aborts message processing if the target is not a valid room participant. The vulnerability is conditional on the absence of the High-performance Backend (HPB), which implements its own signaling validation layer. CPE: cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade Nextcloud to one of the patched releases: 21.1.10, 22.0.11, or 23.0.3, as confirmed by vendor advisory GHSA-x75r-65hm-cw35 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x75r-65hm-cw35). The upstream code fix is merged in nextcloud/spreed PR #17577 (https://github.com/nextcloud/spreed/pull/17577). As an interim compensating control, deploying the Nextcloud Talk High-performance Backend (HPB) eliminates the vulnerable signaling path entirely, since HPB enforces its own participant validation - however, HPB introduces infrastructure overhead and requires additional configuration. Restricting call participation to trusted users via Nextcloud's permission system reduces exposure but does not fully remediate the flaw, as any low-privileged participant can exploit it.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33678