Cleartext Transmission of Sensitive Information in user_oidc
Description
user_oidc for Nextcloud prior to 1.2.1 transmits OIDC client credentials and tokens in cleartext over HTTP, allowing network attackers to compromise accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
user_oidc for Nextcloud prior to 1.2.1 transmits OIDC client credentials and tokens in cleartext over HTTP, allowing network attackers to compromise accounts.
Vulnerability
In user_oidc versions prior to 1.2.1, the OpenID Connect login flow transmits sensitive information such as OIDC client credentials and tokens over unencrypted HTTP connections. This violates the expectation of TLS protection. The affected versions are all before 1.2.1. [1]
Exploitation
An attacker with network access to monitor traffic between the Nextcloud instance and the OIDC provider can capture the plaintext credentials and tokens. No authentication or user interaction is required beyond the normal login flow. The attack complexity is low as the data is sent in cleartext. [1]
Impact
Successful exploitation allows the attacker to obtain OIDC client credentials and tokens, potentially compromising the Nextcloud account and associated services. This leads to unauthorized access and potential data breach. Confidentiality and integrity are affected. [1]
Mitigation
The issue is fixed in user_oidc v1.2.1, which enforces HTTPS for login and code endpoints (see PR #495 [2]). Users should upgrade to this version. As a workaround, ensure that Nextcloud is accessed via HTTPS and set an HTTPS discovery URL in the provider settings. [1][2]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nextcloud/security-advisoriesv5Range: < 1.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.