CVE-2019-15610
Description
Improper authorization in Nextcloud Circles 0.17.7 retains access when an email address is removed from a circle.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authorization in Nextcloud Circles 0.17.7 retains access when an email address is removed from a circle.
Vulnerability
The Circles app for Nextcloud, specifically version 0.17.7, contains an improper authorization vulnerability [1]. When an email address is removed from a circle, the member retains their access rights contrary to expected behavior [1]. This occurs due to a flaw in the authorization logic that does not properly invalidate access when the membership is removed.
Exploitation
An attacker who previously had an email address added to a circle and then removed could continue to access resources shared with that circle [1]. No special network position or additional authentication is required beyond the existing session; the access persists due to the authorization not being revoked.
Impact
Successful exploitation leads to unauthorized access to circle resources, information disclosure, and potential further compromise of the Nextcloud instance depending on what the circle shares [1]. The attacker retains the privilege level of the circle member even after being removed.
Mitigation
Nextcloud released a fix as part of the security advisory [1]. Users should upgrade to a patched version of the Circles app (0.17.8 or later). No workaround is documented in the available references; the recommended mitigation is to apply the update promptly.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Circles/Circles appdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper authorization in the Circles app allows retaining access after an email address is removed."
Attack vector
An attacker can exploit this vulnerability by removing their email address from a circle and then attempting to access it. The application fails to properly re-authorize the user after the email removal, granting continued access. This allows unauthorized access to circle data even after the user should have been de-provisioned. The advisory does not specify further details on the attack vector or required privileges [ref_id=1].
Affected code
The vulnerability is located within the Circles app, specifically in version 0.17.7. The advisory does not specify the exact file paths or function names involved in the improper authorization check [ref_id=1].
What the fix does
The advisory indicates that a fix has been developed and applied to the master branch, and will be packaged in the next security release [ref_id=1]. The exact nature of the fix is not detailed in the provided information, but it is expected to address the improper authorization check that allows retained access.
Preconditions
- authThe attacker must have previously been a member of a circle.
- inputThe attacker must remove their email address from the circle.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- hackerone.com/reports/673724mitrex_refsource_MISC
- nextcloud.com/security/advisory/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.