Nextcloud Server and Enterprise Two-Factor Authentication Bypass Vulnerability via Pre-Authentication Session Cookie

A vulnerability exists in Nextcloud Server versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, as well as in Nextcloud Enterprise Server versions 29.0.0 through 29.0.16.16, 30.0.0 through 30.0.17.9, 31.0.0 through 31.0.14.5, 32.0.0 prior to 32.0.9, and 33.0.0 prior to 33.0.3. The issue arises from a pre-two-factor authentication session cookie, which can be reused as a Bearer token to authenticate against DAV endpoints. This reuse grants read/write access while bypassing mandatory two-factor authentication requirements.

Impact

Exploitation of this vulnerability allows for unauthorized access to DAV endpoints, with the ability to read and write data, all while circumventing two-factor authentication.

Remediation

Users are advised to upgrade Nextcloud Server to version 33.0.3 or 32.0.9. Nextcloud Enterprise Server users should upgrade to version 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, or 29.0.16.16.