CVE-2023-26482
Published: 30 March 2023
Summary
CVE-2023-26482 is a critical-severity OS Command Injection (CWE-78) vulnerability in Nextcloud Nextcloud Server. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Nextcloud server, an open source home cloud platform, contains a missing scope validation flaw in its workflow handling that permits non-administrative users to create and activate workflows intended exclusively for administrators. The affected component spans workflow-related apps such as workflow_scripts and workflow_pdf_converter, which can invoke external scripts, generate PDFs, or trigger webhooks, potentially leading to remote code execution when combined with the improper authorization check. The vulnerability is tracked as CVE-2023-26482 with a CVSS score of 9.0 and is present in versions prior to 24.0.10 and 25.0.4.
An authenticated user with low privileges can exploit the issue by crafting administrator-scoped workflows that execute arbitrary commands on the server, achieving full remote code execution depending on the installed workflow apps. The attack requires user interaction in some cases but can be performed over the network without additional authentication beyond a standard account.
Public advisories from Nextcloud direct administrators to upgrade to version 24.0.10 or 25.0.4; as a temporary workaround, the workflow_scripts and workflow_pdf_converter apps should be disabled if patching is not immediately feasible. The referenced GitHub security advisories and commit records detail the scope validation fix applied in the server codebase.
EPSS scores for this CVE rose from a low baseline to a peak of 0.7047, indicating that exploitation interest increased after public disclosure and that the issue merits renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30290
Vulnerability details
Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined…
more
scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.