CVE-2021-32726

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-32726

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32726.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-32726

Downstream

openSUSE-SU-2021:1068-1

Related

GHSA-6qr9-c846-j8mg
openSUSE-SU-2021:1068-1

Published

2021-07-12T20:15:10.037Z

Modified

2026-02-03T07:26:16.444758Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/server
Events: Fixed

3845aa47869e6787bf9b25cae59f9b999c6f7807

Introduced

615b994816710a595243d704c9be445f736b4b41

Fixed

3eb0ce9892933c36672e8ba35e771e48a5309321

Introduced

8985b7930653139859002eb3eca2852999ed8f0d

Fixed

5d04a3fed226c370feca686032f47d5422b02bb2

Affected versions

v20.*

v20.0.0

v20.0.1

v20.0.10

v20.0.10RC1

v20.0.11rc1

v20.0.1RC1

v20.0.2

v20.0.2RC1

v20.0.2RC2

v20.0.3

v20.0.3RC2

v20.0.4

v20.0.5

v20.0.5RC1

v20.0.5RC2

v20.0.6

v20.0.6RC1

v20.0.7

v20.0.7RC1

v20.0.8

v20.0.8RC1

v20.0.9

v20.0.9RC1

v21.*

v21.0.0

v21.0.1

v21.0.1RC1

v21.0.2

v21.0.2RC1

v21.0.3rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32726.json"