Ownership check missing when updating or deleting mail attachments in Nextcloud mail
Description
Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue.
Workarounds
No workaround available
References * Pull request * HackerOne
For more information
If you have any questions or comments about this advisory: * Create a post in nextcloud/security-advisories * Customers: Open a support ticket at support.nextcloud.com
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Mail prior to 1.12.2 lacks ownership checks on mail attachments, allowing unauthorized deletion or overwrite of draft attachments.
Vulnerability
Nextcloud Mail versions before 1.12.2 fail to verify that the user performing operations on mail attachments (such as updating or deleting) owns the attachment. The missing check allows an authenticated user to manipulate attachments belonging to other users. This affects the LocalAttachment handling in the mail app [1][2][3].
Exploitation
An attacker with a valid Nextcloud account can send crafted requests to update or delete mail attachments they do not own, by exploiting the missing ownership verification in the mail app's attachment endpoints. No special privileges beyond a regular account are required [3].
Impact
Successful exploitation allows an attacker to overwrite the local_message_id for draft attachments or delete them, making the attachment unavailable to the legitimate sender. However, the attacker cannot read or exfiltrate the attachment content; only availability is impacted [3].
Mitigation
Upgrade Nextcloud Mail to version 1.12.2 or later, which includes the fix. No workarounds are available [3]. The fix was merged via pull request #6600 [1][2]. This CVE is not listed on CISA's KEV as of publication.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nextcloud/security-advisoriesv5Range: < 1.12.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nextcloud/mail/pull/6600mitrex_refsource_MISC
- github.com/nextcloud/mail/pull/6600/commits/6dd2527be8d4f6788b449c8a8f5577628b990605mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-xhv7-5mhv-299jmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.