Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an malicious user to view all attachments.
nextcloud deck 1.0.4