Security Advisory

Back to advisories

App password scope can be changed for other users (NC-SA-2018-001)

7th February 2018

Risk level: Low

CVSS v3 Base Score: 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)

CWE: Authorization Bypass Through User-Controlled Key (CWE-639)

HackerOne report: 297751


A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.

Affected Software

  • Nextcloud Server < 12.0.5 (CVE-2017-0936)
  • Nextcloud Server < 11.0.7 (CVE-2017-0936)

Action Taken

The error has been fixed and regression tests been added.


It is recommended that all instances are upgraded to Nextcloud 12.0.5.


The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

This advisory is licensed CC BY-SA 4.0.

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine