In Nextcloud Server versions 32.0.0 through 32.0.1 and 33.0.0 through 33.0.0, the files_lock application failed to verify that a requesting user owned the file referenced in a WebDAV lock or unlock operation. An authenticated attacker could therefore lock or unlock any file by supplying its absolute path, thereby affecting that file’s availability and potentially disrupting other users’ workflows. In addition, the application exposed lock tokens in error responses, enabling adversaries to acquire tokens that belong to other users and revoke their locks without permission. The flaw represents a misimplementation of access control (CWE‑287) with implications for data integrity and availability.

Nextcloud Server 32.0.0 up to but not including 32.0.2, and 33.0.0 up to but not including 33.0.1. Nextcloud Enterprise Server versions that have not yet been upgraded to 31.0.14.4, 32.0.2, or 33.0.1 are potentially vulnerable.

The CVSS score of 6.3 categorizes the vulnerability as moderate, and no EPSS data is publicly available for this issue. The vulnerability is not listed in the CISA KEV catalog, meaning there are no known large‑scale active campaigns. An attacker would need to be an authenticated Nextcloud user on the affected instance – the description indicates that being an authenticated user is the likely attack vector. By sending crafted WebDAV lock or unlock requests to specified paths, the attacker can alter the state of other users' files and retrieve lock tokens for removal of legitimate locks. While the attack does not grant remote code execution, it undermines user control and can serve as a foothold for further lateral movement or denial of service within the Nextcloud environment.