Read-only share recipient can restore old versions of file.


The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.

Affected Software

  • Nextcloud Server < 9.0.52

Action Taken

The permission check is now also performed on restore actions.

Steps To Repro:

1)Create A Document
2)Share It With Someone
3) Name The Owner As Owner And The Other User As X
4) Now From Owner Add A New Version Of The File.
5) From User X Restore The Previous Version And Intercept The Request.
6) Now Delete User X From Can-Edit Rank
7) Now From Owner Add New Version Again.
8) Now Repeat The Request That Was Intercepted By User X And You Will See That Document Got Restored.


Thanks for reading !!!

You may also like...

1 Response

Leave a Reply

Your email address will not be published. Required fields are marked *