CVE-2023-35928

🗓️ 23 Jun 2023 20:58:33Reported by GitHub_MType

Nextcloud Server versions 25.0.0 to 26.0.2 and Enterprise Server versions 19.0.0 to 26.0.2 allow unauthorized access

Reporter	Title	Published	Views	Family All 52
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud storage solutions lies in the improper limitation on excessive authentication attempts, which allows a hacker to compromise the target system.	10 Jul 202300:00	–	bdu_fstec
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud storage solutions stems from improper handling of insufficient privileges. This allows attackers to gain access to the credentials of other users.	18 Jul 202300:00	–	bdu_fstec
CNNVD	Nextcloud 安全漏洞	23 Jun 202300:00	–	cnnvd
Cvelist	CVE-2023-35928 Nextcloud user scoped external storage can be used to gather credentials of other users	23 Jun 202320:58	–	cvelist
EUVD	EUVD-2023-39917	3 Oct 202520:07	–	euvd
Nextcloud	User scoped external storage can be used to gather credentials of other users	22 Jun 202313:24	–	nextcloud
Hacker One	Nextcloud: User scoped external storage can be used to gather credentials of other users	9 May 202309:31	–	hackerone
NVD	CVE-2023-35928	23 Jun 202321:15	–	nvd
OpenVAS	Nextcloud Server 25.x < 25.0.7, 26.x < 26.0.2 Multiple Vulnerabilities (GHSA-qphh-6xh7-vffg, GHSA-mjf5-p765-qmr6, GHSA-h7f7-535f-7q87, GHSA-637g-xp2c-qh5h)	23 Jun 202300:00	–	openvas
OSV	CVE-2023-35928 Nextcloud user scoped external storage can be used to gather credentials of other users	23 Jun 202320:58	–	osv

NVD

Vulners

Node

nextcloud nextcloud_serverRange19.0.0–19.0.13.9enterprise

nextcloud nextcloud_serverRange20.0.0–20.0.14.14enterprise

nextcloud nextcloud_serverRange21.0.0–21.0.9.12enterprise

nextcloud nextcloud_serverRange22.0.0–22.2.10.12enterprise

nextcloud nextcloud_serverRange23.0.0–23.0.12.7enterprise

nextcloud nextcloud_serverRange24.0.0–24.0.12.2enterprise

nextcloud nextcloud_serverRange25.0.0–25.0.7-

nextcloud nextcloud_serverRange25.0.0–25.0.7enterprise

nextcloud nextcloud_serverRange26.0.0–26.0.2-

nextcloud nextcloud_serverRange26.0.0–26.0.2enterprise

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "Nextcloud Enterprise Server >= 19.0.0, < 19.0.13.9",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 20.0.0.0, < 20.0.14.14",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 21.0.0.0, < 21.0.9.12",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 22.0.0.0, < 22.2.10.12",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 23.0.0.0, < 23.0.12.7",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 24.0.0.0, < 24.0.12.2",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 25.0.0, < 25.0.7 ",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 26.0.0, < 26.0.2",
        "status": "affected"
      },
      {
        "version": "Nextcloud Server >= 25.0.0, < 25.0.7",
        "status": "affected"
      },
      {
        "version": "Nextcloud Server >= 26.0.0, < 26.0.2",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h
github	www.github.com/nextcloud/server/pull/38265
hackerone	www.hackerone.com/reports/1978882

17 Jun 2026 06:05Current

8.5High risk

Vulners AI Score8.5

CVSS 3.18.4 - 8.8

EPSS0.00937

SSVC

CWE-274