CVE-2023-26482 CRITICAL

CVE-2023-26482: Scope of workflow operations is not validated in nextcloud server

Vendor Nextcloud

Product security-advisories

Weakness CWE-78

Published March 30, 2023

Last update February 11, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.

Key dates

02Disclosure timeline

March 30, 2023 CVE published

February 11, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-26482

Related vulnerabilities

Identifiers

CVE CVE-2023-26482

CWE CWE-78

CVSS 9.1 / CRITICAL

Affected versions

Vendor Nextcloud

Product security-advisories

Affected < 24.0.10

Vendor Nextcloud

Product security-advisories

Affected >= 25.0.0, < 25.0.4

CVE-2023-26482: Scope of workflow operations is not validated in nextcloud server

01Description

02Disclosure timeline

03References

04Related CVE