Nextcloud Server and Enterprise Two-Factor Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in Nextcloud Server versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, as well as in Nextcloud Enterprise Server versions 29.0.0 through 29.0.16.15, 30.0.0 through 30.0.17.8, 31.0.0 through 31.0.14.4, 32.0.0 prior to 32.0.9, and 33.0.0 prior to 33.0.3. This vulnerability allows attackers who know a user's password to bypass two-factor authentication (2FA). When a user logs in with valid credentials on a 2FA-enabled account, a temporary session token is created before the second factor is challenged. This token can be extracted and reused via HTTP Basic Authentication to access protected endpoints without authorization.

Impact

Exploitation of this vulnerability allows for unauthorized access to authenticated endpoints by bypassing two-factor authentication, using a temporarily issued session token that can be replayed via HTTP Basic Authentication.

Remediation

Users are advised to upgrade Nextcloud Server to version 33.0.3 or 32.0.9. Nextcloud Enterprise Server users should upgrade to version 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16.