Malicious Android app could access Shared Preferences of the Nextcloud Android client
Description
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose the malicious app. The shared preferences contain some limited private data such as push tokens and the account name. The vulnerability is patched in version 3.16.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Android app prior to 3.16.1 allows a malicious app on the same device to access shared preferences via the sharing flow, leaking push tokens and account names.
Vulnerability
The Nextcloud Android application, in versions prior to 3.16.1, exposes its shared preferences to other apps on the same device when the user initiates the Android sharing flow and selects a malicious app. The shared preferences contain limited private data, including push tokens and the account name. This vulnerability is addressed in pull request #8433 [1].
Exploitation
Exploitation requires user interaction: the victim must start the share action from within the Nextcloud app and choose the attacker's app as the destination. No additional privileges are needed; the malicious app must be installed on the same device [2].
Impact
Upon successful exploitation, the malicious app gains access to the shared preferences file. The leaked data includes push notification tokens and the Nextcloud account name, which could be used for further attacks or account-related abuse. The sensitivity is limited as full credentials or file contents are not exposed [2].
Mitigation
The vulnerability is patched in Nextcloud Android app version 3.16.1, which was released on 2021-06-17. Users should update to this version or later via the Google Play Store or other distribution channels. No workarounds are available for versions prior to 3.16.1 [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.16.1
- nextcloud/security-advisoriesv5Range: < 3.16.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nextcloud/android/pull/8433mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-25m9-cf6c-qf2cmitrex_refsource_CONFIRM
- hackerone.com/reports/1142918mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.