An unexpected public link is automatically generated when a folder or file is shared with a Nextcloud Team that includes an external member. The private link is not displayed to the folder owner and is sent via email to the external member. The link grants the same level of access—read, write, delete, reshare, and download—as the Team’s permissions. Because it is not visible or revocable through the normal sharing interface, an attacker who gets or intercepts the link can read, change, delete, reshare, and download any data in the shared folder. This flaw arises from a missing authorization check during link creation, classified as CWE‑862.

The issue affects Nextcloud versions 32.0.0 through 32.0.8 and 33.0.0 through 33.0.2. Any installation that allows Teams to include users via email addresses that lack a Nextcloud account is vulnerable. The flaw is specific to sharing actions initiated by users with Team access rights. Owners of the shared folder cannot see or revoke the hidden link via the regular interface until the fix is applied.

The CVSS score is 6.4, indicating a moderate level of severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires that an attacker be able to receive or obtain the automated email containing the link, or otherwise intercept it in transit. An attacker who obtains the link can perform full read, write, delete, reshare, and download actions on all items within the shared folder, giving them essentially the same privileges as the Team member who received the link. Because the link is hidden from the folder owner, the risk of unauthorized disclosure or modification is significant.