CVE-2021-32800— Bypass of Two Factor Authentication in Nextcloud server
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-32800
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Bypass of Two Factor Authentication in Nextcloud server
Source: NVD (National Vulnerability Database)
Vulnerability Description
Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键功能的认证机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Nextcloud 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。 Nextcloud server存在访问控制错误漏洞,该漏洞源于攻击者可利用该漏洞能够绕过Nextcloud中的双因素身份验证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| nextcloud | security-advisories | < 20.0.12 | - |
II. Public POCs for CVE-2021-32800
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-32800
请登录查看更多情报信息。
- https://github.com/nextcloud/server/pull/28078x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-32800
Same Patch Batch · nextcloud · 2021-09-07 · 9 CVEs total
| CVE-2021-32802 | 9.3 CRITICAL | Preview generation used third-party library not suited for user-generated content in Nextc |
| CVE-2021-37628 | 7.5 HIGH | File Drop can be bypassed using Richdocuments app in nextcloud |
| CVE-2021-37630 | 6.5 MEDIUM | Secret Circle can be joined without approval in Nextcloud Circles |
| CVE-2021-37631 | 6.5 MEDIUM | Circle can be accessed by non-Circle members in Nextcloud Deck |
| CVE-2021-32782 | 5.8 MEDIUM | Cross-Site Scripting in Nextcloud Circles |
| CVE-2021-32801 | 5.5 MEDIUM | Exceptions may have logged Encryption-at-Rest key content in Nextcloud server |
| CVE-2021-32766 | 5.3 MEDIUM | Nextcloud Text app can disclose existence of folders in "File Drop" link share |
| CVE-2021-37629 | 5.3 MEDIUM | Lack of ratelimit on Richdocuments OCS endpoint in nextcloud |
IV. Related Vulnerabilities
Same product: security-advisories
- CVE-2026-28272
Kiteworks Email Protection Gateway has a Cross-site Scriptin - CVE-2026-28271
Kiteworks Core is vulnerable to Server-Side Request Forgery - CVE-2026-28270
Kiteworks Core has an Unrestricted Upload of File with Dange - CVE-2026-28269
Kiteworks Core has an OS Command Injection - CVE-2025-66558
Nextcloud Twofactor WebAuthn app was updated based on public
Same vendor: nextcloud
- CVE-2025-66558
Nextcloud Twofactor WebAuthn app was updated based on public - CVE-2025-66556
Nextcloud talk allows participants to blindly delete poll dr - CVE-2025-66554
Nextcloud Contacts vulnerable to Stored XSS in contacts app - CVE-2025-66549
Nextcloud Desktop discloses information when attempting to l - CVE-2025-66545
Nextcloud Groupfolders users with read-only permissions for
Same weakness: CWE-306
- CVE-2021-47940
WordPress Download From Files 1.48 Arbitrary File Upload - CVE-2021-47936
OpenCATS 0.9.4 Remote Code Execution via Resume Upload - CVE-2021-47933
WordPress MStore API 2.0.6 Arbitrary File Upload - CVE-2026-8185
UGREEN CM933 Administrative missing authentication - CVE-2026-42302
FastGPT: Unauthenticated Remote Code Execution (RCE) via cod
V. Comments for CVE-2021-32800
No comments yet