Security Advisory

Back to advisories

Improper permission preservation on reshares (NC-SA-2020-012)

27th June 2019

Risk level: Medium

CVSS v3 Base Score: 6.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H)

CWE: Improper Preservation of Permissions (CWE-281)

HackerOne report: 619484


Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.

Affected Software

  • Nextcloud Server < 16.0.2 (CVE-2019-15621)
  • Nextcloud Server < 15.0.9 (CVE-2019-15621)
  • Nextcloud Server < 14.0.13 (CVE-2019-15621)

Action Taken

The error has been fixed.


It is recommended that the Nextcloud Server is upgraded to 16.0.2.


The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

This advisory is licensed CC BY-SA 4.0.

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine