Nextcloud User OIDC has an open redirection when logging in with User OIDC
Description
Open redirect in Nextcloud user_oidc app 6.0.x and below allows a malicious user to craft a login link that redirects to an arbitrary URL after successful authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open redirect in Nextcloud user_oidc app 6.0.x and below allows a malicious user to craft a login link that redirects to an arbitrary URL after successful authentication.
Vulnerability
The user_oidc app, an OpenID Connect user backend for Nextcloud, contains an open redirect vulnerability in versions prior to 6.1.0. The login function and the code function directly return a RedirectResponse with a user-supplied redirectUrl parameter without verifying that it points to a local path. A malicious user can craft a login link containing an absolute URL (e.g., https://evil.com) as the redirectUrl. Upon successful authentication, the victim is redirected to that external URL.[1][2][3]
Exploitation
To exploit this, the attacker must provide a victim with a specially crafted login link that includes an arbitrary absolute URL as the redirectUrl parameter. The victim must click the link and successfully authenticate with the OpenID Connect provider. No special network position or privileges are required beyond the ability to share a link. The attacker does not need to intercept the authentication flow; the redirect happens after a legitimate login. The fix introduced in PR #961 sanitizes the redirect URL by extracting only the path component via parse_url($redirectUrl, PHP_URL_PATH), preventing absolute URLs from being used.[1][2]
Impact
An attacker who successfully exploits this can redirect an authenticated user to any external site. This is a classic open redirect, which can be used for phishing or to undermine trust in the Nextcloud instance. The confidentiality, integrity, and availability of the Nextcloud data are not directly compromised, but the user may be tricked into divulging credentials or other sensitive information on the malicious site. The severity is rated as medium (CVSS 5.4) due to the requirement for user interaction and the potential for phishing.[3]
Mitigation
The vulnerability is fixed in user_oidc version 6.1.0, released on 2024-11-15. Users should upgrade to this version or later. The fix is implemented in commit c923428, which ensures that the redirect URL is sanitized to only use the path component, thus blocking any absolute URLs. No workaround is available for versions prior to 6.1.0. This issue is not known to be in CISA's KEV catalog.[1][2][3]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nextcloud/security-advisoriesv5Range: >= 6.0.0, < 6.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/nextcloud/security-advisories/security/advisories/GHSA-784j-x2g5-4g7qmitrex_refsource_CONFIRM
- github.com/nextcloud/user_oidc/commit/c923428d51972f6d04636c6accbecdec0c1b88e9mitrex_refsource_MISC
- github.com/nextcloud/user_oidc/pull/961mitrex_refsource_MISC
- hackerone.com/reports/2720030mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.