Permission bypass in Nextcloud Android App
Description
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required MANAGE_DOCUMENTS permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Android app prior to 3.17.1 allows unauthorized apps to view image thumbnails without MANAGE_DOCUMENTS permission.
Vulnerability
The issue is in the Nextcloud Android app's DiskLruImageCacheFileProvider. In versions prior to 3.17.1, the provider's android:readPermission attribute was incorrectly set, allowing any app to query the provider and access image thumbnails without the required MANAGE_DOCUMENTS permission. The fix changed android:readPermission to android:permission in the manifest [1][2][3].
Exploitation
An attacker app without the MANAGE_DOCUMENTS permission can access the DiskLruImageCacheFileProvider content provider and view thumbnail images. No additional authentication or user interaction is required beyond having an installed app that can query content providers [3].
Impact
Successful exploitation leads to unauthorized viewing of image thumbnails, which may contain sensitive information. The impact is limited to thumbnails, but could disclose private images if thumbnails reveal identifiable content [3].
Mitigation
The fix is available in version 3.17.1 of the Nextcloud Android app. Users should upgrade to this version. No workarounds are available [3].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.17.1
- nextcloud/security-advisoriesv5Range: < 3.17.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/nextcloud/android/commit/aa47197109970b8449c4e44601eba36e3481b086mitrex_refsource_MISC
- github.com/nextcloud/android/commit/b6ecf515b38c2d82d32743f27236534f3e03ee0cmitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-wrwg-jwpg-r3c4mitrex_refsource_CONFIRM
- hackerone.com/reports/1358597mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.