Mejo-

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 20.0.14 Nextcloud Server versions prior to 21.0.6 Nextcloud Server versions prior to 22.2.1 **Description** The Nextcloud server is a self-hosted system designed to provide cloud-style services. In affected versions, the User Status API did not consider the user enumeration settings set by the administrator. This allowed a user to enumerate other users on the instance, even when user listings were disabled. **Recommendations** For versions prior to 20.0.14, upgrade to 20.0.14. For versions prior to 21.0.6, upgrade to 21.0.6. For versions prior to 22.2.1, upgrade to 22.2.1. As a temporary workaround, consider disabling the User Status API until a patch is available.