CVE-2024-46958 – This vulnerability in Nextcloud Desktop Client ... (How to Fix)

Q: What is the severity of CVE-2024-46958?

CVE-2024-46958 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Nextcloud Desktop Client for Linux causes synchronized files to have overly permissive file permissions (world-writable or world-readable). This allows unauthorized users on the same system to read or modify sensitive synchronized files. Users running Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux are affected.

📋 TL;DR

This vulnerability in Nextcloud Desktop Client for Linux causes synchronized files to have overly permissive file permissions (world-writable or world-readable). This allows unauthorized users on the same system to read or modify sensitive synchronized files. Users running Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux are affected.

💻 Affected Systems

Products:

Nextcloud Desktop Client

Versions: 3.13.1 through 3.13.3

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Linux versions; Windows and macOS clients are not vulnerable. The issue occurs during file synchronization operations.

📦 What is this software?

Desktop by Nextcloud

View all CVEs affecting Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive synchronized files (including confidential documents, credentials, or personal data) become accessible to all users on the system, potentially leading to data theft, unauthorized modification, or privilege escalation.

🟠

Likely Case

Local users on multi-user Linux systems can access or modify files they shouldn't have permission to, compromising data confidentiality and integrity of synchronized content.

🟢

If Mitigated

On single-user systems or systems with strict user isolation, the impact is reduced but still presents a risk if other applications or services run under different user contexts.

🌐 Internet-Facing: LOW - This is a local privilege issue affecting file permissions on the client system, not directly exploitable over the network.

🏢 Internal Only: HIGH - On multi-user Linux systems, any local user can potentially access or modify synchronized files belonging to other users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the Linux system. Any local user can check file permissions on synchronized files and access/modify them if permissions are incorrectly set.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.4

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories

Restart Required: Yes

Instructions:

1. Open Nextcloud Desktop Client. 2. Go to Settings > General. 3. Check 'Check for updates automatically' or manually check for updates. 4. Install version 3.13.4. 5. Restart the client application.

🔧 Temporary Workarounds

Manual permission correction

linux

Manually set correct permissions on synchronized files to remove world-readable/world-writable bits

find ~/Nextcloud -type f -perm /o=rw -exec chmod o-rw {} \;
find ~/Nextcloud -type d -perm /o=rwx -exec chmod o-rwx {} \;

Stop synchronization

all

Temporarily disable file synchronization until patched

Open Nextcloud Desktop Client > Settings > Account > uncheck 'Enable' for the account

🧯 If You Can't Patch

Run Nextcloud Desktop Client on a single-user system where no other users have local access
Use filesystem monitoring to detect and correct permission changes on synchronized files

🔍 How to Verify

Check if Vulnerable:

Check if any files in your Nextcloud sync directory have world-readable or world-writable permissions: ls -la ~/Nextcloud/ | grep -E '^-..[rw-]{3}[rw-]{3}[rw-]{3}'

Check Version:

nextcloud --version | grep -o 'version [0-9.]\+'

Verify Fix Applied:

After updating to 3.13.4, verify no new files get world permissions and check existing files: find ~/Nextcloud -type f -perm /o=rw 2>/dev/null | wc -l (should return 0)

📡 Detection & Monitoring

Log Indicators:

File permission change events in system logs for Nextcloud directories
Audit logs showing unexpected access to Nextcloud synchronized files

Network Indicators:

None - this is a local file system issue

SIEM Query:

source="linux_audit" AND (event_type="file_permission_change" AND file_path="/home/*/Nextcloud/*") OR (event_type="file_access" AND file_path="/home/*/Nextcloud/*" AND user!=owner_user)

📊 Metadata

CVE ID: CVE-2024-46958

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Published: September 16, 2024

Last Updated: March 13, 2025

🔗 References

https://github.com/nextcloud/desktop/compare/v3.13.3...v3.13.4 Patch
https://github.com/nextcloud/desktop/issues/6863 Issue Tracking
https://github.com/nextcloud/desktop/pull/6949 Issue Tracking
https://github.com/nextcloud/desktop/pull/7092 Patch
https://github.com/nextcloud/security-advisories/security/advisories Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON