{"id":"CVE-2021-32727","details":"Nextcloud Android Client is the Android client for Nextcloud. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.16.1, the Nextcloud Android client skipped a step that involved the client checking if a private key belonged to a previously downloaded public certificate. If the Nextcloud instance served a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. The vulnerability is patched in version 3.16.1. As a workaround, do not add additional end-to-end encrypted devices to a user account.","aliases":["GHSA-5v33-r9cm-7736"],"modified":"2026-05-30T21:59:57.971904Z","published":"2021-07-12T21:15:07.817Z","references":[{"type":"ADVISORY","url":"https://github.com/nextcloud/android/pull/8438"},{"type":"ADVISORY","url":"https://github.com/nextcloud/end_to_end_encryption_rfc/blob/7f002996397faefb664019a97ebb0a1e210f64f0/RFC.md#further-devices"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5v33-r9cm-7736"},{"type":"REPORT","url":"https://hackerone.com/reports/1189162"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/android","events":[{"introduced":"0"},{"fixed":"5b68a3a475acd0378f91f44dd5eedd79a454b952"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"3.16.1"}],"cpe":"cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*"}}],"versions":["rc-3.16.1-01","stable-3.16.0","rc-3.16.0-02","rc-3.16.0-01","dev-20200129","dev-20200128","dev-20200125","dev-20200122","dev-20200121","dev-20200117","dev-20200118","dev-20200115","dev-20200112","dev-20200110","dev-20200109","dev-20200108","dev-20200107","dev-20191221","dev-20191220","dev-20191219","dev-20191218","dev-20191217","dev-20191214","dev-20191213","dev-20191211","dev-20191207","dev-20191206","dev-20191205","dev-20191204","dev-20191203","dev-20191129","dev-20191127","dev-20191123","dev-20191121","dev-20191120","dev-20191119","dev-20191116","dev-20191114","dev-20191113","dev-20191108","dev-20191107","dev-20191106","dev-20191102","dev-20191101","dev-20191031","dev-20191030","dev-20191029","dev-20191026","dev-20191025","dev-20191024","dev-20191022","dev-20191019","dev-20191018","dev-20191017","dev-20191016","dev-20191012","dev-20191011","dev-20191010","dev-20191009","dev-20191008","dev-20191005","dev-20191003","dev-20191002","dev-20190928","dev-20190926","dev-20190924","dev-20190921","dev-20190914","dev-20190913","dev-20190911","dev-20190910","dev-20190906","dev-20190905","dev-20190904","dev-20190903","dev-20190829","dev-20190828","dev-20190827","dev-20190824","dev-20190823","dev-20190822","dev-20190821","dev-20190820","dev-20190817","dev-20190816","dev-20190815","dev-20190813","dev-20190810","dev-20190809","dev-20190808","dev-20190806","dev-20190803","dev-20190802","dev-20190731","dev-20190730","dev-20190727","dev-20190726","dev-20190724","dev-20190723","dev-20190720","dev-20190717","dev-20190716","dev-20190711","dev-20190713","dev-20190710","dev-20190705","dev-20190704","dev-20190703","dev-20190702","dev-20190701","dev-20190629","dev-20190627","dev-20190625","dev-20190622","dev-20190621","dev-20190619","dev-20190615","dev-20190613","dev-20190612","dev-20190605","dev-20190604","dev-20190601","dev-20190531","dev-20190530","dev-20190529","dev-20190528","dev-20190524","dev-20190523","dev-20190522","dev-20190521","dev-20190520","dev-20190518","dev-20190517","dev-20190515","dev-20190514","dev-20190513","dev-20190502","dev-20190414","dev-20190413","dev-20190412","dev-20190411","dev-20190410","dev-20190409","dev-20190408","dev-20190406","dev-20190404","dev-20190403","dev-20190402","dev-20190329","dev-20190328","rc-3.6.0-01","dev-20190327","dev-20190323","dev-20190321","dev-20190320","dev-20190319","dev-20190316","dev-20190314","dev-20190313","dev-20190312","dev-20190310","dev-20190309","dev-20190308","dev-20190307","dev-20190306","dev-20190305","dev-20190301","dev-20190228","dev-20190227","dev-20190226","dev-20190221","dev-20190220","dev-20190219","dev-20190216","dev-20190215","dev-20190214","dev-20190213","dev-20190212","dev-20190209","dev-20190208","dev-20190207","dev-20190206","dev-20190205","dev-20190202","dev-20190201","dev-20190131","dev-20190130","dev-20190129","dev-20190126","dev-20190123","dev-20190122","dev-20190119","dev-20190118","dev-20190117","dev-20190116","dev-20190115","dev-20190113","dev-20190112","dev-20190108","dev-20190105","dev-20181222","dev-20181218","dev-20181216","dev-20181215","dev-20181214","dev-20181212","dev-20181211","dev-20181208","dev-20181207","dev-20181206","dev-20181204","dev-20181203","dev-20181107","dev-20181106","dev-20181103","dev-20181102","dev-20181101","dev-20181031","dev-20181030","dev-20181028","dev-20181027","dev-20181026","dev-20181025","dev-20181024","dev-20181023","dev-20181020","dev-20181018","dev-20181016","dev-20181013","dev-20181009","dev-20181006","dev-20180927","dev-20180926","dev-20180925","dev-20180924","dev-20180921","dev-20180920","dev-20180919","dev-20180918","dev-20180915","dev-20180914","dev-20180907","dev-20180913","dev-20180912","dev-20180911","dev-20180908","dev-20180905","dev-20180903","dev-20180829","dev-20180825","dev-20180824","dev-20180823","dev-20180821","dev-20180811","dev-20180809","rc-3.1.0-02","rc-3.1.0-01","rc-3.0.0-03","rc-3.0.0-02","rc-3.0.0-01","dev-20171213","dev-20171212","dev-20171211","dev-20171209","stable-2.0.0","rc-2.0.0-09","rc-2.0.0-08","rc-2.0.0-07","rc-2.0.0-06","rc-2.0.0-05","rc-2.0.0-04","rc-2.0.0-03","rc-2.0.0-01","stable-1.4.3","stable-1.4.2","rc-1.4.2-04","rc-1.4.2-02","rc-1.4.2-01","stable-1.4.1","rc-1.4.1-04","rc-1.4.1-03","rc-1.4.1-02","rc-1.4.1-01","stable-1.4.0","rc-1.4.0-04","rc-1.4.0-03","rc-1.4.0-02","rc-1.4.0-01","stable-1.3.1","stable-1.3.0","rc-1.3.0-02","rc-1.3.0-01","stable-1.2.0","rc-1.2.0-02","rc-1.2.0-01","stable-1.1.0","rc-1.1.0-02","rc-1.1.0-01","stable-1.0.1","stable-1.0.0","1.0.0","0.99","oc-android-1.8","oc-android-1.7.1_signed","oc-android-1.7.0_signed","oc-android-1.7.0","oc-android-1.5.3","1.4.6-easy-setup","oc-android-1.4.6","oc-android-1.4.5","oc-android-1.4.4","oc-android-1.4.3","oc-android-1-4-0","oc-android-1-3-20","oc-android-1-3-19","oc-android-1-3-18","oc-android-1-3-17","oc-android-1-3-14","oc-android-1-3-13"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32727.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/desktop","events":[{"introduced":"0"},{"fixed":"d78359d1bc46600d850b01b234dcd7c6e983ff43"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"3.16.1"}],"cpe":"cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*"}}],"versions":["v3.16.0","v3.16.0-rc4","v3.16.0-rc3","v3.16.0-rc2","v3.16.0-rc1","v3.6.0","v3.6.0-rc2","v3.6.0-rc1","v3.5.0","v3.5.0-rc4","v3.5.0-rc3","v3.5.0-rc2","v3.5.0-rc1","v3.4.0-do-not-use","v3.4.0-rc2","v3.4.0-rc1","v3.3.0","v3.3.0-rc2","v3.3.0-rc1","v3.2.0-rc3","v3.2.0-rc2","v3.2.0-rc1","v3.1.0","v3.1.0-rc2","v3.1.0-rc1","v2.7.0-rc1","v2.7.0-beta3","v2.7.0-beta2","v2.7.0-beta1","v2.5.3-rc2","v2.5.3-rc1","v2.5.2","v2.5.2-rc1","v2.5.1","v2.5.0","v2.5.0-rc2","v2.5.0-rc1","v2.5.0-beta2","v2.5.0-beta1","v1.8.0-beta1a","v1.8.0-beta1","v1.6.0","v1.6.0-rc3","v1.6.0-rc2","v1.6.0-rc1","v1.6.0-beta2","v1.6.0-beta1","v1.5.1-rc1","v1.5.0","v1.5.0-beta3","v1.5.0-beta1-2nd","v1.5.0-beta2","v1.5.0-beta1","v1.4.0","v1.4.0-rc1","v1.4.0-beta2","v1.4.0-beta1","v1.3.0-beta3","v1.3.0-beta2","v1.3.0-beta1","v1.2.5","v1.2.4","v1.2.3","v1.2.2","v1.2.1","v1.2.0","v1.1.2","v1.1.0","v1.1.0-beta1","v0.0.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32727.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}