VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 7, 2021· Updated Aug 4, 2024

Secret Circle can be joined without approval in Nextcloud Circles

CVE-2021-37630

Description

Nextcloud Circles allowed any user to join Secret Circles without approval, leaking private information; fixed in versions 0.19.15, 0.20.11, and 0.21.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud Circles allowed any user to join Secret Circles without approval, leaking private information; fixed in versions 0.19.15, 0.20.11, and 0.21.4.

Vulnerability

The Nextcloud Circles application, in versions prior to 0.19.15, 0.20.11, and 0.21.4, allowed any authenticated user to join any "Secret Circle" without requiring approval from the circle owner. This bypasses the intended access control for secret circles, which are designed to be invitation-only. [1][2]

Exploitation

An attacker with a valid Nextcloud account can enumerate or guess the identifier of a Secret Circle and join it directly through the Circles API or user interface. No special privileges or additional user interaction is required; the attacker simply needs to be a member of the same Nextcloud instance. [1][2]

Impact

Successful exploitation leads to unauthorized access to the contents and membership list of a Secret Circle, resulting in information disclosure. The attacker can view posts, files, and other shared data within the circle, as well as the identities of other members. [1][2]

Mitigation

The vulnerability is fixed in Nextcloud Circles versions 0.19.15, 0.20.11, and 0.21.4. Users should upgrade to one of these patched versions. No workarounds are available. [1][2]

References
  1. members cannot directly join a Secret Circle by ArtificialOwl · Pull Request #768 · nextcloud/circles
  2. Secret Circle can be joined without approval

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Nextcloud/Circlesllm-fuzzy
    Range: < 0.19.15, >= 0.19.0 < 0.20.11, >= 0.20.0 < 0.21.4
  • nextcloud/security-advisoriesv5
    Range: < 0.19.15

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.