nextcloud, owncloud
2017-10-23 14:15
2017-06-16 19:21
2017-05-10 23:45
2017-04-14 10:19
2017-04-01 21:42
2017-03-28 21:03


Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper authorization check on removing shares. The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation simply unshared the file to all users in the group.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information



Release Package Reason
precise nextcloud DNE
owncloud ignored
precise/esm nextcloud DNE
owncloud DNE
trusty nextcloud DNE
vivid/stable-phone-overlay nextcloud DNE
owncloud DNE
vivid/ubuntu-core nextcloud DNE
owncloud DNE
xenial nextcloud DNE
owncloud DNE
yakkety nextcloud DNE
owncloud DNE
zesty nextcloud DNE
owncloud DNE
artful nextcloud DNE
owncloud DNE
devel nextcloud DNE
owncloud DNE

Needs Triage

Release Package Reason
upstream nextcloud needs-triage
owncloud needs-triage
trusty owncloud needs-triage