CVE-2020-36251
Description
ownCloud Server before 10.3.0 allows a group share recipient to remove that share for all other group recipients due to improper privilege management.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ownCloud Server before 10.3.0 allows a group share recipient to remove that share for all other group recipients due to improper privilege management.
Vulnerability
The vulnerability resides in the group share deletion functionality of ownCloud Server versions before 10.3.0, specifically tested on 10.2.0. An attacker who has received non-administrative access to a group share can exploit improper privilege management (CWE-385) to delete the share for all group recipients, including the share owner. This occurs because the permission check does not adequately restrict deletion to the user's own share membership [1].
Exploitation
To exploit, the attacker must be a recipient of a group share (no administrative privileges required). The attacker navigates to the received share and uses the delete option. Due to the flawed permission check, the deletion request removes the share for the entire group, not just the attacker's own access. No special network position or user interaction beyond the attacker's own actions is needed [1].
Impact
Successful exploitation allows the attacker to remove the group share for all other recipients, effectively denying them access to the shared data. However, no data is permanently lost; the share can be re-created by the original owner. The impact is limited to availability (temporary denial of service) with low confidentiality and integrity impact, reflected in a CVSS base score of 3.5 [1].
Mitigation
The vulnerability is fixed in ownCloud Server version 10.3.0 by improving permission checks when deleting groups. Users should upgrade to 10.3.0 or later. No workarounds are provided in the available reference [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ownCloud/ownCloud Serverdescription
Patches
11 file changed · +1 −4
CHANGELOG.md+1 −4 modified@@ -4,9 +4,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). -## [Unreleased] - -## [10.3.0] +## [10.3.0] - 2019-10-15 ### Added @@ -1168,7 +1166,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - provisioning API now also returns the user's home path: [#26850](https://github.com/owncloud/core/issues/26850) - web updater shows link to changelog in admin page: [#26796](https://github.com/owncloud/core/issues/26796) -[Unreleased]: https://github.com/owncloud/core/compare/v10.3.0...master [10.3.0]: https://github.com/owncloud/core/compare/v10.2.1...v10.3.0 [10.2.1]: https://github.com/owncloud/core/compare/v10.2.0...v10.2.1 [10.2.0]: https://github.com/owncloud/core/compare/v10.1.1...v10.2.0
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- owncloud.com/security-advisories/deleting-received-group-share-for-whole-group/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.