Security Advisory

Back to advisories

App password scope can be changed for other users (NC-SA-2018-001)

7th February 2018

Risk level: Low

CVSS v3 Base Score: 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)

CWE: Authorization Bypass Through User-Controlled Key (CWE-639)

HackerOne report: 297751


A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.

Affected Software

  • Nextcloud Server < 12.0.5 (CVE-2017-0936)
  • Nextcloud Server < 11.0.7 (CVE-2017-0936)

Action Taken

The error has been fixed and regression tests been added.


The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

This advisory is licensed CC BY-SA 4.0.