CVE-2021-32727

Name of the Vulnerable Software and Affected Versions Nextcloud Android Client versions prior to 3.16.1

Description The issue concerns the Nextcloud Android Client's handling of end-to-end encryption. When using this feature, clients download public and private keys via an API endpoint. In affected versions, the client fails to verify if a private key matches a previously downloaded public certificate. This could allow a malicious actor to serve a fake public key, enabling them to access encrypted data.

Recommendations For versions prior to 3.16.1, update to version 3.16.1 to resolve the issue. As a temporary workaround, do not add additional end-to-end encrypted devices to a user account.