Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5
AnalysisAI
Nextcloud Server's link share attachment access bypasses password protection and download restrictions for authenticated users who possess a valid share token. Affecting versions 32.0.0-32.0.9 and 33.0.0-33.0.3 of Nextcloud Server (with broader version ranges for Enterprise), an attacker authenticated to the Nextcloud instance can retrieve attachments from password-protected or download-restricted link shares by supplying a documentId they own alongside a known share token-circumventing the intended access controls entirely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated Nextcloud session (CVSS PR:L confirms low-privilege authentication is sufficient-anonymous exploitation is not possible). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 (Medium) score reflects a network-accessible, low-complexity attack requiring low privileges (PR:L) with no user interaction and high confidentiality impact but no integrity or availability impact (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Nextcloud user (e.g., a low-privilege internal account or a compromised external collaborator account) obtains the share token for a password-protected link share through legitimate access or observation. The attacker then crafts an HTTP request to the Nextcloud Text attachment endpoint, supplying the share token alongside a documentId from one of their own documents. … |
| Remediation | The primary remediation is to upgrade Nextcloud Server to version 32.0.9 or 33.0.3 as recommended by the vendor advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35fx-69q6-xpjr. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing
A security vulnerability in Nextcloud Calendar (CVSS 5.7). Risk factors: public PoC available. Vendor patch is available
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attacker
Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to
SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitr
Improper authorization in the Nextcloud Server CalDAV backend allows an authenticated user who knows another user's prin
Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicio
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5
Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing a
Comment authorization bypass in Nextcloud Server 31.x and 32.x allows authenticated low-privilege users to read all file
Privilege escalation in the Nextcloud Approval app (prior to version 2.7.2) allows authenticated users who lack sharing
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33707