App lockout in nextcloud Android app can be bypassed via thirdparty apps
Description
Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Android app may allow bypassing the PIN/passcode via a third-party app, revealing file metadata on an unlocked device.
Vulnerability
Nextcloud Android versions 3.7.0 through 3.24.0 contain a vulnerability that allows an attacker with physical access to an unlocked device to bypass the Nextcloud app's PIN/passcode protection via a third-party application. The issue arises because activities extending AuthenticatorActivity running as singleTask can trigger PassCodeManager.onActivityResumed twice (on onResume and on onNewIntent), allowing the passcode check to be circumvented [1][2].
Exploitation
An attacker must have physical access to an unlocked device. By using a third-party app that generates a deep link or otherwise interacts with the Nextcloud app, the attacker can trigger the vulnerable code path that skips the PIN/passcode prompt. No authentication or special privileges beyond physical access to an unlocked device are required [1][2].
Impact
Successful exploitation allows the attacker to view file metadata—specifically the sharer, sharees, and activity information—without entering the app's PIN or passcode. The attacker does not gain full file contents or arbitrary code execution, but sensitive metadata about file sharing and user activity is exposed [2].
Mitigation
Upgrade to Nextcloud Android version 3.24.1, released March 2023, which fixes the issue by ensuring the passcode check is not bypassed when activities are restarted [1][2]. No workarounds are available; users must update the app to mitigate the vulnerability [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=3.7.0,<3.24.1
- nextcloud/security-advisoriesv5Range: >= 3.7.0, < 3.24.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/nextcloud/android/pull/11242mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-c3rf-94h6-vj8vmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.