Nextcloud Server and Enterprise Share Token Vulnerability Allowing Unauthorized Attachment Access

A vulnerability exists in Nextcloud Server versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, as well as in Nextcloud Enterprise Server versions 27.0.0, 28.0.0, 29.0.0, 30.0.0, 31.0.0, 32.0.0, and 33.0.0. This vulnerability allows an authenticated attacker to access attachments from link shares by knowing the share token, thereby bypassing password protection and download restrictions. The issue affects any directly shared file, as the attacker only needs to know a document ID they own, along with the share token. For shared folders, the attacker must know or guess a document ID of a file within the folder, making exploitation more difficult. The vulnerability allows extraction of attachments but not the shared file or folder itself.

Impact

Exploitation of this vulnerability allows authenticated attackers to access and download attachments from shared links, bypassing any password protections or download restrictions that may be in place.

Remediation

Users are advised to upgrade Nextcloud Server to version 33.0.3 or 32.0.9. Nextcloud Enterprise Server users should upgrade to version 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, or 27.1.11.5.