In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account.
In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg https://hackerone.com/reports/1202590 https://github.com/nextcloud/server/pull/27532 https://github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b