Description Impact When an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Patches It is recommended that the Nextcloud Server is upgraded to 26.0.9 or 27.1.4 It is recommended that the Nextcloud Enterprise Server is upgraded to 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9 or 27.1.4 Workarounds No workaround available References HackerOne PullRequest For more information If you have any questions or comments about this advisory: Create a post in nextcloud/security-advisories Customers: Open a support ticket at…Read More
Workflows do not require password confirmation on API level
