Login Sign Up

CVE-2024-37886

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2024-37886 is a signature verification bypass vulnerability in Nextcloud's user_oidc app that allows attackers to potentially forge OpenID Connect authentication requests. This could lead to unauthorized access or account compromise. All Nextcloud instances using the user_oidc app before versions 1.3.5, 2.0.0, 3.0.0, 4.0.0, or 5.0.0 are affected.

💻 Affected Systems

Products:
  • Nextcloud user_oidc app
Versions: All versions before 1.3.5, 2.0.0, 3.0.0, 4.0.0, or 5.0.0
Operating Systems: All platforms running Nextcloud
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Nextcloud instances using the user_oidc app for OpenID Connect authentication.

📦 What is this software?

User Oidc by Nextcloud

View all CVEs affecting User Oidc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain unauthorized access to Nextcloud accounts, potentially compromising sensitive data or performing privilege escalation.

🟠

Likely Case

Authentication bypass allowing unauthorized access to user accounts via forged OpenID Connect requests.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still presents authentication risk.

🌐 Internet-Facing: HIGH - Nextcloud instances exposed to the internet are directly vulnerable to authentication bypass attacks.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain unauthorized access, but requires internal network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires understanding of OpenID Connect protocol and ability to forge authentication requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.5, 2.0.0, 3.0.0, 4.0.0, or 5.0.0

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw5h-29xf-g55g

Restart Required: No

Instructions:

1. Access Nextcloud admin interface. 2. Navigate to Apps section. 3. Find 'user_oidc' app. 4. Update to version 1.3.5, 2.0.0, 3.0.0, 4.0.0, or 5.0.0. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable user_oidc app

linux

Temporarily disable the vulnerable user_oidc app until patching is possible

occ app:disable user_oidc

🧯 If You Can't Patch

  • Implement network-level controls to restrict access to Nextcloud authentication endpoints
  • Enable enhanced logging and monitoring for authentication attempts and review regularly

🔍 How to Verify

Check if Vulnerable:

Check user_oidc app version in Nextcloud admin interface or run: occ app:list | grep user_oidc

Check Version:

occ app:list | grep user_oidc

Verify Fix Applied:

Verify user_oidc app version shows 1.3.5, 2.0.0, 3.0.0, 4.0.0, or 5.0.0 in admin interface

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns
  • Failed OpenID Connect signature validations
  • Authentication from unexpected sources

Network Indicators:

  • Unusual traffic to /apps/user_oidc/ endpoints
  • Authentication requests with modified signatures

SIEM Query:

source="nextcloud.log" AND ("user_oidc" OR "OpenID Connect") AND ("failed" OR "invalid" OR "signature")

📊 Metadata

CVE ID: CVE-2024-37886
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-347
Published: June 14, 2024
Last Updated: August 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37886, you might also want to check these:

CVE-2022-24884 10.0

This vulnerability in ecdsautils allows attackers to forge ECDSA signatures by providing zero-value ...

Same vulnerability type (CWE-347)
CVE-2023-25574 10.0

CVE-2023-25574 is a critical authentication bypass vulnerability in jupyterhub-ltiauthenticator's LT...

Same vulnerability type (CWE-347)
CVE-2024-45409 10.0

CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby SAML library where SAML...

Same vulnerability type (CWE-347)