CVE Vulnerabilities


Improper Restriction of Excessive Authentication Attempts

Published: Mar 22, 2023 | Modified: Mar 29, 2023
CVSS 3.x
CVSS 2.x

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud Enterprise Server versions 25.0.x prior to 25.0.4, 24.0.x prior to 24.0.10, 23.0.x prior to, 22.x prior to, and 21.x prior to, when an attacker gets access to an already logged in user session they can then brute force the password on the confirmation endpoint. Nextcloud Server should upgraded to 24.0.10 or 25.0.4 and Nextcloud Enterprise Server should upgraded to,,, 24.0.10, or 25.0.4 to receive a patch. No known workarounds are available.


The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

Affected Software

Name Vendor Start Version End Version
Nextcloud_server Nextcloud 21.0.0 (including) 21.0.9 (excluding)
Nextcloud_server Nextcloud 22.2.0 (including) (excluding)
Nextcloud_server Nextcloud 23.0.0 (including) (excluding)
Nextcloud_server Nextcloud 24.0.0 (including) 24.0.10 (excluding)
Nextcloud_server Nextcloud 25.0.0 (including) 25.0.4 (excluding)

Potential Mitigations

  • Common protection mechanisms include:

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]