Primary

Context

Nextcloud User OIDC Missing Signature Verification Vulnerability Allows ID4me Authority Impersonation

Vulnerability

Patched

A vulnerability exists in the User OIDC app for Nextcloud, specifically in versions 0.3.0 prior to 3.1.0, 5.0.0 prior to 5.1.0, and 6.0.0 prior to 6.4.0. The issue arises from a missing signature verification in the handling of OpenID Connect (OIDC) user authentication, which allows a malicious ID4me authority to impersonate any user. This vulnerability could lead to unauthorized identification and potentially allow for further exploitation within the application.

Impact

Exploitation of this vulnerability could result in an authentication bypass, allowing a malicious ID4me authority to identify as any user within the Nextcloud instance.

Remediation

Users are advised to upgrade the User OIDC app to version 3.1.0, 4.1.0, 5.1.0, 6.4.0, or 8.3.0. Alternatively, the ID4me feature can be disabled in the configuration.

Added: Jun 1, 2026, 5:27 PM

Updated: Jun 1, 2026, 5:27 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

7.0

remediation

8.3

relevance

9.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

7.0

remediation

8.3

relevance

9.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nextcloud User OIDC Missing Signature Verification Vulnerability Allows ID4me Authority Impersonation

Vulnerability

Impact

Remediation

Affected Products

Nextcloud

Nextcloud User OIDC

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating