CVE-2023-26482 Scope of workflow operations is not validated

critical” security issue with Nextcloud was reported by heise today.

While the issue itself only affects Flow it’s recommended to upgrade your instance to latest version.

Affected versions >= 24.0.0, >= 25.0.0
Patched versions 24.0.10, 25.0.4

Details: Scope of workflow operations is not validated · Advisory · nextcloud/security-advisories · GitHub


There is already 25.0.5 and 24.0.11. So it is fixed for over a month now.

From the article, it seems that older versions are affected as well, it’s just that they are out of support (except for special enterprise subscriptions).

1 Like

I’m aware of newer versions… and I’m aware the issue is not such “critical”…
I posted and pinned the article for people coming here because of heise article (or if other sources start pickup the “news”)…

1 Like

I was just wondering. Normally, you push out an update, and then 2-3 weeks after you announce that there was an important fix. So probably most people have fixed it. But perhaps they waited until a certain percentage got the update.