CVE-2021-32766

Nextcloud Text app can disclose existence of folders in "File Drop" link share

Description

Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case the public link share has been created with "Upload Only" privileges. (aka "File Drop"). A link share recipient is not expected to see which folders or files exist in a "File Drop" share. Using this vulnerability an attacker is able to enumerate folders in such a share. Exploitation requires that the attacker has access to a valid affected "File Drop" link share. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.0.1. Users who are unable to upgrade are advised to disable the Nextcloud Text application in the app settings.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.38%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory hackerone.com
Affected: nextcloud security-advisories
Published at:
Updated at:

References

Link Tags
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gcf3-3wmc-88jr third party advisory
https://github.com/nextcloud/text/pull/1716 third party advisory patch
https://hackerone.com/reports/1253475 third party advisory permissions required

Frequently Asked Questions

What is the severity of CVE-2021-32766?
CVE-2021-32766 has been scored as a medium severity vulnerability.
How to fix CVE-2021-32766?
To fix CVE-2021-32766, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-32766 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-32766 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-32766?
CVE-2021-32766 affects nextcloud security-advisories.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.