CVE-2022-39334 LOW

CVE-2022-39334: nextcloudcmd incorrectly trusts bad TLS certificates

Vendor Nextcloud
Product security-advisories
Weakness CWE-295
Published November 25, 2022
Last update November 3, 2025

CVSS base score

3.9/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.

Key dates

02Disclosure timeline

November 25, 2022 CVE published
November 3, 2025 Record updated