Dwight Hohnstein

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 9.0.54 Nextcloud Server versions prior to 10.0.1 ownCloud Server versions prior to 9.1.2 ownCloud Server versions prior to 9.0.6 ownCloud Server versions prior to 8.2.9 **Description** The issue allows an unauthenticated attacker to gain access to an account without valid credentials by exploiting the SMB user authentication bypass in the SMB authentication component. This component is optional and not enabled by default, requiring manual configuration in the config file. The problem arises because the backend does not properly handle SMB servers with anonymous authentication configured, which is the default setting for most SMB servers. **Recommendations** For Nextcloud Server versions prior to 9.0.54, update to version 9.0.54 or later. For Nextcloud Server versions prior to 10.0.1, update to version 10.0.1 or later. For ownCloud Server versions prior to 9.1.2, update to version 9.1.2 or later. For ownCloud Server versions prior to 9.0.6, update to version 9.0.6 or later. For ownCloud Server versions prior to 8.2.9, update to version 8.2.9 or later. As a temporary workaround, consider disabling the SMB backend until a patch is available.