There is no verification of the ownership and/or its type when deleting a user-manager external storage.
Meaning anyone on a Nextcloud instance can destroy any (user, global) external filesystem.
The attacker does not need to have access to the external storage.
The options 'Allow users to mount external storage does not need to be enabled.
When executing the DELETE request on /apps/files_external/userstorages/<storage_id> [1], the app will:
[1] https://github.com/nextcloud/server/blob/master/apps/files_external/lib/Controller/UserStoragesController.php#L234
[2] https://github.com/nextcloud/server/blob/master/apps/files_external/lib/Service/DBConfigService.php#L67
[3] https://github.com/nextcloud/server/blob/master/apps/files_external/lib/Service/DBConfigService.php#L274
/apps/files_external/userstorages/<storage_id>
, replace storage_id
by the correct id (integer) of the storage.Filesystem can be unmounted by anyone, I have no clue how this was not reported earlier.