Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users.
Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename.
We added a permission check whether the account is allowed to share the specified file.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: