Nextcloud
Moderate fix2 remedies
cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 32.0.0, < 32.0.2
- >= 33.0.0, < 33.0.1
Nextcloud Server Files Lock App Ownership Validation Vulnerability Allowing Unauthorized File Locking and Unlocking
Vulnerability
Patched
A vulnerability exists in the Nextcloud Server Files Lock app, specifically in versions 32.0.0 prior to 32.0.2 and 33.0.0 prior to 33.0.1. The issue arises because the app failed to properly validate file ownership when handling WebDAV lock and unlock requests. As a result, an authenticated user could manipulate files belonging to other users by targeting their absolute WebDAV paths. Furthermore, the vulnerability allowed unauthorized users to access lock tokens through error responses, enabling them to remove token-based locks applied by other users' client applications.
Impact
Exploitation of this vulnerability could lead to unauthorized locking or unlocking of files, disrupting normal file management processes and potentially causing confusion or data loss.
Remediation
Users are advised to upgrade Nextcloud Server to version 32.0.2 or 33.0.1. Nextcloud Enterprise Server users should upgrade to version 31.0.14.4, 32.0.2, or 33.0.1.
Added: Jun 1, 2026, 8:13 PM
Updated: Jun 1, 2026, 8:13 PM
Vulnerability Rating
Custom Algorithm
spread
6.2impact
2.5exploitability
5.5remediation
7.7relevance
9.7threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.