Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing sig…

Nextcloud, an open source content collaboration platform, contains a critical vulnerability in its User OIDC component affecting multiple version ranges (0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0). The vulnerability stems from missing signature verification that allows a malicious ID4me authority to impersonate any user within the system. This authentication bypass vulnerability poses significant security risks as it enables unauthorized access through identity spoofing. The issue has been addressed and patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0, and 8.3.0. Organizations using affected versions should prioritize updating to the patched releases to prevent potential exploitation of this authentication mechanism flaw.