CVE-2021-32726 in Server
Summary
by MITRE • 07/13/2021
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2021
The vulnerability described in CVE-2021-32726 represents a critical account takeover risk within the Nextcloud server ecosystem, specifically affecting versions prior to 19.0.13, 20.0.11, and 21.0.3. This flaw stems from improper handling of WebAuthn authentication tokens during user account deletion processes, creating a persistent security weakness that directly violates fundamental principles of authentication security and user isolation. The issue manifests when administrators or automated systems delete user accounts, yet fail to properly purge the associated WebAuthn tokens from the system's authentication database. This oversight creates a dangerous scenario where deleted user credentials can be exploited by subsequent users who reuse previously occupied usernames, fundamentally undermining the security model of user account management and authentication.
The technical root cause of this vulnerability lies in the incomplete cleanup of authentication state information within the Nextcloud server's backend systems. When a user account is deleted, the system should ensure complete removal of all associated authentication mechanisms including WebAuthn tokens, biometric data, and cryptographic credentials. However, the flaw allows these tokens to persist in the database, creating a situation where the cryptographic keys and authentication metadata remain accessible even after the user account has been terminated. This represents a violation of CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) categories, as the system fails to properly enforce access controls and maintain proper information isolation between user accounts. The persistence of these tokens creates a direct pathway for privilege escalation attacks where an attacker can leverage the stored authentication data to impersonate legitimate users.
The operational impact of this vulnerability extends beyond simple account takeover scenarios to encompass broader security implications for organizations relying on Nextcloud for data storage and collaboration. Attackers can exploit this weakness by first identifying a target user account, then deleting that account through legitimate administrative processes, and finally creating a new account with the same username. The previously stored WebAuthn tokens automatically grant access to the new account, bypassing normal authentication procedures and creating a backdoor that can persist indefinitely until the vulnerability is patched. This vulnerability directly maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) and T1531 (Account Access Removal), as it enables unauthorized access through legitimate credentials while simultaneously undermining the integrity of account management processes. Organizations using Nextcloud in environments with sensitive data or regulatory compliance requirements face significant risks, as this vulnerability can be exploited to gain persistent access to systems without detection.
The remediation approach for this vulnerability requires immediate deployment of the patched versions 19.0.13, 20.0.11, and 21.0.3, which implement proper cleanup procedures for WebAuthn tokens during user account deletion. Organizations should conduct comprehensive audits of their Nextcloud installations to identify and remediate any instances of this vulnerability, particularly in environments where user account reuse is common or where administrative processes may inadvertently leave stale authentication data. Security teams must also implement monitoring procedures to detect unauthorized account creation or modification patterns that might indicate exploitation attempts. The vulnerability highlights the critical importance of proper state management in authentication systems and underscores the necessity of comprehensive testing for edge cases involving account lifecycle management. Without proper mitigation, this vulnerability creates a persistent risk that can be exploited by attackers with minimal technical expertise, making it particularly dangerous in environments with high user turnover or shared administrative access patterns.