User OIDC

CVEs (12)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2026-45156	Nextcloud User OIDC	Hig	0.46	8.1	—	Jun 1, 2026	Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been…
CVE-2026-45284	Nextcloud User OIDC	Med	0.23	4.6	—	Jun 1, 2026	Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
CVE-2026-45278	Nextcloud Nextcloud	Low	0.14	3.3	—	Jun 1, 2026	Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in…
CVE-2024-52512	Nextcloud User OIDC		0.00	—	0.01	Nov 15, 2024	user_oidc app is an OpenID Connect user backend for Nextcloud. A malicious user could send a malformed login link that would redirect the user to a provided URL after successfully authenticating. It is recommended that the Nextcloud User OIDC app is upgraded to 6.1.0.
CVE-2024-37886	Nextcloud User OIDC		0.00	—	0.01	Jun 14, 2024	user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.
CVE-2024-37312	Nextcloud User OIDC		0.00	—	0.00	Jun 14, 2024	user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user…
CVE-2023-39954	Nextcloud User OIDC		0.00	—	0.01	Aug 10, 2023	user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked…
CVE-2023-39953	Nextcloud User OIDC		0.00	—	0.01	Aug 10, 2023	user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or…
CVE-2023-32074	Nextcloud User OIDC		0.00	—	0.00	May 25, 2023	user_oidc app is an OpenID Connect user backend for Nextcloud. Authentication can be broken/bypassed in user_oidc app. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.2
CVE-2023-28848	Nextcloud User OIDC		0.00	—	0.00	Apr 4, 2023	user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request…
CVE-2022-39339	Nextcloud User OIDC		0.00	—	0.00	Nov 25, 2022	user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to…
CVE-2022-39338	Nextcloud User OIDC		0.00	—	0.00	Nov 25, 2022	user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint.…

CVE-2026-45156HigJun 1, 2026
Nextcloud
User OIDC
risk 0.46cvss 8.1epss —
Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been…
CVE-2026-45284MedJun 1, 2026
Nextcloud
User OIDC
risk 0.23cvss 4.6epss —
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
CVE-2026-45278LowJun 1, 2026
Nextcloud
Nextcloud
risk 0.14cvss 3.3epss —
Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in…
CVE-2024-52512Nov 15, 2024
Nextcloud
User OIDC
risk 0.00cvss —epss 0.01
user_oidc app is an OpenID Connect user backend for Nextcloud. A malicious user could send a malformed login link that would redirect the user to a provided URL after successfully authenticating. It is recommended that the Nextcloud User OIDC app is upgraded to 6.1.0.
CVE-2024-37886Jun 14, 2024
Nextcloud
User OIDC
risk 0.00cvss —epss 0.01
user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.
CVE-2024-37312Jun 14, 2024
Nextcloud
User OIDC
risk 0.00cvss —epss 0.00
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user…
CVE-2023-39954Aug 10, 2023
Nextcloud
User OIDC
risk 0.00cvss —epss 0.01
user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked…
CVE-2023-39953Aug 10, 2023
Nextcloud
User OIDC
risk 0.00cvss —epss 0.01
user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or…
CVE-2023-32074May 25, 2023
Nextcloud
User OIDC
risk 0.00cvss —epss 0.00
user_oidc app is an OpenID Connect user backend for Nextcloud. Authentication can be broken/bypassed in user_oidc app. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.2
CVE-2023-28848Apr 4, 2023
Nextcloud
User OIDC
risk 0.00cvss —epss 0.00
user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request…
CVE-2022-39339Nov 25, 2022
Nextcloud
User OIDC
risk 0.00cvss —epss 0.00
user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to…
CVE-2022-39338Nov 25, 2022
Nextcloud
User OIDC
risk 0.00cvss —epss 0.00
user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint.…