Sensitive files/data exist after deletion of user account in Nextcloud Android
Description
Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information. Nextcloud Android version 3.19.0 contains a patch for this issue. There are no known workarounds available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Android prior to 3.19.0 retains sensitive user data after account deletion, risking misuse of former user's information.
Vulnerability
Sensitive tokens, images, and user-related details persist after deletion of a user account in Nextcloud Android versions prior to 3.19.0. This occurs because the AccountRemovalWork cleanup process does not adequately remove all stored data. [1]
Exploitation
An attacker who gains access to the device or its storage (e.g., via physical access, backup extraction, or remote compromise) can retrieve the residual data. No additional privileges or user interaction are required beyond obtaining access to the stored data. [1]
Impact
Successful exploitation results in unauthorized disclosure of sensitive information, including authentication tokens, profile images, and other user-related details of the former account holder. This compromises confidentiality and could lead to further misuse of the affected user's identity or services. [1]
Mitigation
The issue is fixed in Nextcloud Android version 3.19.0, released on 2022-05-20, which properly cleans up user data upon account deletion. No workarounds are available for earlier versions. Users should update to the latest version. [1][2]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.19.0
- nextcloud/security-advisoriesv5Range: < 3.19.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nextcloud/android/pull/9644mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-xcj9-3jch-qr2rmitrex_refsource_CONFIRM
- hackerone.com/reports/1222873mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.