CVE-2021-22905
Description
Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using the local Nextcloud server unless a global search has been explicitly chosen by the user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Android App before v3.16.0 leaks sharee searches to the lookup server by default, violating user expectation of local-only search.
Vulnerability
The Nextcloud Android App (com.nextcloud.client) before version 3.16.0 performs searches for sharees (users or groups to share with) on the Nextcloud lookup server by default, rather than only querying the local Nextcloud server. This behavior occurs unless the user has explicitly chosen a global search. The affected versions are all releases prior to 3.16.0 [1].
Exploitation
An attacker does not need special network position or authentication beyond what is already present. When a user performs a sharee search in the app, the search query is sent to the Nextcloud lookup server without the user's explicit consent. The lookup server operator (or any party with access to the server's logs or network traffic) can observe the search terms, which may include internal usernames, email addresses, or other identifiers [1].
Impact
Successful exploitation results in information disclosure: the attacker gains knowledge of the search queries made by the user. This breaks the user's expectation that searches are confined to the local Nextcloud server, potentially revealing sensitive information about the organization's user directory or sharing patterns [1].
Mitigation
The vulnerability is fixed in Nextcloud Android App version 3.16.0. Users should upgrade to this version or later. No workarounds are available [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Nextcloud/Android Appdescription
- Range: <3.16.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/nextcloud/security-advisories/security/advisories/GHSA-22v9-q3r6-x7cjmitrex_refsource_MISC
- hackerone.com/reports/1167916mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.