VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 25, 2022· Updated Apr 23, 2025

Nextcloud Talk Android broadcast incorrect permission handling

CVE-2022-41926

Description

Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud Talk Android's unprotected broadcast receiver allows malicious apps to intercept communication; fixed in version 14.1.0.

Vulnerability

The Nextcloud Talk Android app up to version 14.1.0 contains an unprotected broadcast receiver in its CallActivity component. The receiver is not protected by a broadcastPermission, allowing any app on the device to send or receive broadcasts intended for the Talk app. This vulnerability affects all versions prior to 14.1.0 [1][2].

Exploitation

An attacker with a malicious app installed on the same Android device can register a receiver to intercept broadcasts sent to the Talk app's CallActivity. No special permissions are required beyond installation of the malicious app, as the broadcast receiver lacks permission enforcement. The attacker can then monitor these broadcasts without user interaction [2].

Impact

Successful exploitation allows a malicious app to eavesdrop on communication data transmitted via broadcasts, leading to unauthorized disclosure of sensitive information (confidentiality breach). There is no indication of integrity or availability impact from this vulnerability [2].

Mitigation

The vulnerability is fixed in Nextcloud Talk Android version 14.1.0, released on 2022-11-25. The fix introduces a custom permission for the broadcast receiver, preventing unauthorized apps from intercepting broadcasts [1][2]. No workarounds are available for this issue. Users should upgrade to 14.1.0 or later.

References
  1. Use custom permission for unfiltered broadcast receiver in CallActivity by AlvaroBrey · Pull Request #2148 · nextcloud/talk-android
  2. Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.