Primary

Context

Nextcloud User OIDC App LDAP Authentication Vulnerability for Deleted Users

Vulnerability

Patched

A vulnerability exists in the Nextcloud User OIDC app, specifically in versions 1.3.6 prior to 8.4.0, as well as 5.0.3, 6.1.0, and 6.3.0. The issue arises from an improper check in the LdapService, which allowed deleted LDAP users to still authenticate with the user OIDC app. This vulnerability has been patched in version 8.4.0.

Impact

Exploitation of this vulnerability allowed deleted LDAP users to authenticate with the Nextcloud User OIDC app, potentially leading to unauthorized access or actions under the identity of the deleted user.

Remediation

Users of the Nextcloud User OIDC app are advised to upgrade to version 8.4.0. If an immediate upgrade is not possible, the app can be temporarily disabled.

Added: Jun 1, 2026, 8:12 PM

Updated: Jun 1, 2026, 8:12 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

7.1

remediation

8.3

relevance

9.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

7.1

remediation

8.3

relevance

9.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nextcloud User OIDC App LDAP Authentication Vulnerability for Deleted Users

Vulnerability

Impact

Remediation

Affected Products

Nextcloud User OIDC

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating