Security Advisory

Back to advisories

Bypass of 2 Factor Authentication (NC-SA-2018-007)

3rd August 2018

Risk level: High

CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

CWE: Improper Authentication - Generic (CWE-287)

HackerOne report: 248656


Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely.

Affected Software

  • Nextcloud Server < 12.0.3 (2018-3775)

Action Taken

The error has been fixed and regression tests are in place.


It is recommended that all instances are upgraded at least to Nextcloud 12.0.3.


The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • kaysbugs - Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0.

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine