Passcode bypass on Talk-Android app
Description
Talk-Android enables users to have video & audio calls through Nextcloud on Android. Due to passcode bypass, an attacker is able to access the user's Nextcloud files and view conversations. To exploit this the attacker needs to have physical access to the target's device. There are currently no known workarounds available. It is recommended that the Nextcloud Talk Android app is upgraded to 15.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Physical access to a device allows bypass of the Talk Android app passcode, exposing Nextcloud files and conversations.
Vulnerability
The Talk Android app, versions prior to 15.0.2, contains a passcode bypass vulnerability. An attacker with physical access to the target's device can circumvent the app's passcode protection, gaining unauthorized access to the user's Nextcloud files and conversations. The vulnerability is addressed in pull request #2598 [1] and documented in the security advisory [2].
Exploitation
To exploit this vulnerability, the attacker must have physical possession of the target's Android device. No additional authentication or user interaction is required beyond the physical access. The attacker can then bypass the passcode screen and directly access the Talk app's data, including Nextcloud files and chat conversations.
Impact
Successful exploitation results in unauthorized disclosure of sensitive information. The attacker can view the user's Nextcloud files and read all conversations within the Talk app. This compromises the confidentiality of both stored files and private communications.
Mitigation
The vulnerability is fixed in Talk Android version 15.0.2. Users should upgrade to this version or later. No workarounds are available [2]. The fix was merged in pull request #2598 [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <15.0.2
- nextcloud/security-advisoriesv5Range: < 15.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nextcloud/security-advisories/security/advisories/GHSA-wvr4-gc4c-6vmxmitrex_refsource_CONFIRM
- github.com/nextcloud/talk-android/pull/2598mitrex_refsource_MISC
- hackerone.com/reports/1784645mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.