Disclosed but not verified.
https://www.exploit-db.com/exploits/47603
Beware
Report any potential security bug to us via our HackerOne page or security@nextcloud.com following our security policy instead of filing an issue in our bug tracker.
Thanks That’s the fastest way to get @rullzer attention