Two Accounts Suddenly got Merged, Critical Security Breach

The worst thing happened today.

I received a call from a client that suddenly found files from another user in his sync directory. When I logged into the server these directories were not there.

I then looked at the other users account and both in the web console and in the users sync directory, I found all the files and directories of the first user.

These two people have not shared any files with eachother and not transferred the files or directories to eachother; they don’t even know how to do that.

How can this possibly happen? This is like the most serious breach of security I’ve ever seen. They don’t even have eachothers passwords.

Has anyone seen anything like this?

I recommend to directy open an issue on github and put [SECURITY] or something into the name. That way it can be faster investigated and fixed by the developers.

Provide as much information as possible, all logs, esp. nextcloud, webserver and database, and everything else mentioned in nextclouds github issue template.

But as I read again: Can you verify that user A did not (accidently) share his files with user B. He can easily check that in his files app in shares category and activity log. I mean this should not happen accidently, but who knows…

Which NC server version?