BIT-nextcloud-2023-28999

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/nextcloud/BIT-nextcloud-2023-28999.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-nextcloud-2023-28999
Aliases
Published
2026-07-12T23:47:54.219Z
Modified
2026-07-13T06:26:18.597341993Z
Summary
Nextcloud: Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders
Details

Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.​ This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.

Database specific
{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:android:*:*:*",
        "cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:iphone_os:*:*:*"
    ]
}
References

Affected packages

Bitnami / nextcloud

Package

Name
nextcloud
Purl
pkg:bitnami/nextcloud

Severity

  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
3.0.5
Fixed
4.8.0

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/nextcloud/BIT-nextcloud-2023-28999.json"