IDOR Vulnerability in Nextcloud Mail
Description
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Mail prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8 allows an attacker to read mailbox subjects and first characters via IDOR.
Vulnerability
Nextcloud Mail, an email app for Nextcloud, contains an Insecure Direct Object Reference (IDOR) vulnerability in the mailbox cache sync functionality. An attacker can access a mailbox by its ID and retrieve the subjects and first characters of emails. Affected versions are all releases before Mail 2.2.1 (Nextcloud 25), 1.14.5 (Nextcloud 22-24), 1.12.9 (Nextcloud 21), and 1.11.8 (Nextcloud 20) [1][2].
Exploitation
An attacker needs network access to the Nextcloud instance and must be able to send API requests. No special authentication is required beyond a valid user session; the vulnerability allows a user to enumerate mailbox IDs belonging to other users. The attacker can craft requests to the mailbox cache endpoint with arbitrary mailbox IDs to retrieve subject lines and the first characters of email bodies [2].
Impact
Successful exploitation results in unauthorized disclosure of email subjects and partial content (first characters) of emails from any mailbox on the server. This compromises confidentiality of communications and may expose sensitive information. The attacker does not gain full email content or write access [2].
Mitigation
Users should upgrade to the patched versions: Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, and Mail 1.11.8 for Nextcloud 20. No workarounds are available [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nextcloud/security-advisoriesv5Range: < 1.11.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nextcloud/mail/pull/7740mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-r5gh-h6cxmitrex_refsource_CONFIRM
- hackerone.com/reports/1784681mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.