Nextcloud Talk guests can continue to receive video streams from call after being removed from a conversation
Description
Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Talk for Android prior to 12.2.8, 13.0.10, 14.0.6, and 15.0.0 allows removed guests to continue receiving video streams from a call.
Vulnerability
In Nextcloud Talk (Android app) prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, a guest participant can continue to receive video streams from a call after being removed from a conversation. This occurs if the guest is removed while actively participating in the call. The issue affects public conversations where guests are allowed to join. [2]
Exploitation
An attacker must be a guest in a public conversation and be removed from the conversation while they are still in the call. No additional privileges or user interaction beyond being a guest are required. The attacker can then continue to receive video streams from the call despite being removed. [2]
Impact
An attacker can gain unauthorized access to video streams from a call they were removed from, leading to a breach of confidentiality. The attacker can see all video feeds from participants in the ongoing call. [2]
Mitigation
The vulnerability is fixed in Nextcloud Talk versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0. Users should upgrade to these versions. No workarounds are available. [1][2]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <15.0.0
- nextcloud/security-advisoriesv5Range: < 12.2.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4mitrex_refsource_CONFIRM
- github.com/nextcloud/spreed/pull/7974mitrex_refsource_MISC
- hackerone.com/reports/1706248mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.