Nextcloud user_oidc app is missing brute force protection
Description
User OIDC app for Nextcloud lacks bruteforce protection, allowing authentication bypass. Upgrade to 1.3.2 to fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
User OIDC app for Nextcloud lacks bruteforce protection, allowing authentication bypass. Upgrade to 1.3.2 to fix.
Vulnerability
The user_oidc app for Nextcloud versions prior to 1.3.2 lacks bruteforce protection, enabling an attacker to repeatedly attempt authentication without rate limiting or account lockout. This vulnerability is documented in the security advisory [1].
Exploitation
An attacker can exploit this by sending numerous login requests with different credentials until a successful authentication occurs. The attack requires only network access to the Nextcloud instance, no privileges, and no user interaction. The absence of bruteforce protection means the attacker can continue attempts indefinitely [1].
Impact
Successful exploitation allows an attacker to gain unauthorized access to a victim's account, potentially leading to full control over the user's data and actions. This compromises the confidentiality, integrity, and availability of the Nextcloud system [1].
Mitigation
The vulnerability is fixed in user_oidc version 1.3.2. Users should upgrade to this version or later. The fix was implemented in pull request #615, which added bruteforce protection [2]. No workarounds have been disclosed.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nextcloud/security-advisoriesv5Range: < 1.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nextcloud/security-advisories/security/advisories/GHSA-x8mc-84wj-rf34mitrex_refsource_CONFIRM
- github.com/nextcloud/user_oidc/pull/615mitrex_refsource_MISC
- hackerone.com/reports/1954711mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.