Nextcloud Public Link Creation Vulnerability for External Team Members

A vulnerability exists in Nextcloud versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, allowing the automatic creation of public links for external members when files or folders are shared with a Nextcloud Team. External members, added via email and without a Nextcloud account, receive these links through email, granting them the same permissions as the Team's access. The links are not visible to the folder owner, who cannot revoke them through the normal sharing interface. This oversight enables unauthorized access and manipulation of shared data by anyone who intercepts or receives the link.

Impact

Exploitation of this vulnerability allows external members to access, modify, delete, reshare, and download all data in the shared folder, without any additional authentication. The folder owner remains unaware of the public link's existence and cannot revoke it.

Remediation

Users are advised to upgrade Nextcloud Server to versions 32.0.9 or 33.0.3. Nextcloud Enterprise Server users should also upgrade to versions 32.0.9 or 33.0.3.