VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 6, 2023· Updated Mar 10, 2025

Nexcloud Mail app temporarily stores cleartext password in database

CVE-2023-23944

Description

Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud Mail prior to 2.2.2 stored user passwords in cleartext in the database during OAuth2 setup, exposing them to attackers with database access.

Vulnerability

Nextcloud Mail versions prior to 2.2.2 temporarily stored user passwords in cleartext in the database during the OAuth2 setup procedure. The password was stored in the password field of the mail account configuration even when OAuth2 authentication was being configured, instead of leaving the field empty until the access token was obtained [1][2].

Exploitation

An attacker or malicious user with database access (e.g., via SQL injection or compromised database credentials) could read the cleartext passwords of users who were in the process of setting up an OAuth2 mail account. No special network position or user interaction beyond normal OAuth2 setup is required [1].

Impact

Successful exploitation results in disclosure of user passwords, compromising confidentiality. The attacker gains unauthorized access to the user's mail account credentials, potentially leading to further compromise of the email account and related services [1].

Mitigation

The vulnerability is fixed in Nextcloud Mail version 2.2.2, released on 2023-02-06. Users should upgrade to this version or later. There are no known workarounds for this issue [1].

References
  1. Mail app temporarily stores cleartext password in database until OAuth2 setup is done
  2. fix(setup): Fix storing password when we don't expect one by ChristophWurst · Pull Request #7797 · nextcloud/mail

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Nextcloud/Mailllm-fuzzy
    Range: <2.2.2
  • nextcloud/security-advisoriesv5
    Range: < 2.2.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.