cbcvebase.
CVE-2023-26482
published 2023-03-30

CVE-2023-26482: Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.18%
89.6th percentile
Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.

Affected

8 ranges
VendorProductVersion rangeFixed in
nextcloudnextcloud_server>= 18.0.0 < 20.0.14.1220.0.14.12
nextcloudnextcloud_server>= 21.0.0 < 21.0.9.1021.0.9.10
nextcloudnextcloud_server>= 22.0.0 < 22.2.10.1022.2.10.10
nextcloudnextcloud_server>= 23.0.0 < 23.0.12.523.0.12.5
nextcloudnextcloud_server>= 24.0.0 < 24.0.1024.0.10
nextcloudnextcloud_server>= 25.0.0 < 25.0.425.0.4
nextcloudsecurity-advisories< 24.0.1024.0.10
nextcloudsecurity-advisories

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb
  • Monitor for non-admin users creating or modifying workflow configurations via the Nextcloud workflows API endpoint, which should be restricted to administrators only.
  • Alert on execution of server-side scripts or webhook invocations triggered by Nextcloud workflow events, particularly from the `workflow_scripts` or `workflow_pdf_converter` apps.
  • A public Metasploit exploit module exists for this CVE targeting Nextcloud as an authenticated (non-admin) user; monitor for exploitation attempts using this module against Nextcloud web application endpoints.
  • ·Disable the `workflow_scripts` and `workflow_pdf_converter` Nextcloud apps as a mitigation if upgrading is not immediately possible.
  • ·The RCE impact is conditional on the presence of specific apps (e.g., `workflow_scripts`, `workflow_pdf_converter`); assess which apps are installed before determining exploitability.
  • ·Exploitation requires an authenticated (non-admin) user account; unauthenticated exploitation is not possible.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.