Nextcloud Forms versions 4.3.0 through 5.2.6 contain a flaw that lets a removed collaborator retain read access to files that were uploaded as responses to a form. The vulnerability stems from a lingering file‑share that is not cleaned up when the collaborator role is deleted, exposing data that the user once had permission to view. This is a classic case of sensitive data exposure, identified by CWE‑552, and results in the unauthorized disclosure of private files without granting any additional privileges. Based on the description, it is inferred that the likely attack vector is the presence of a lingering file‑share after collaborator removal, which allows the attacker to read files they were previously allowed to see.

The impacted software is the Nextcloud content collaboration platform, specifically the Forms app. Users running Nextcloud 4.3.0 up to, but not including, version 5.2.7 are affected. The issue is limited to uploaded response files for forms where the deleted collaborator previously had results‑access rights.

The flaw carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, so the current exploitation likelihood is unknown. Attackers would need prior legitimate collaborator access to the form results to achieve the data breach; the vulnerability does not allow arbitrary code execution or full control of the system. Based on the description, it is inferred that the attack vector requires the attacker to first invoke the collaborator removal action, after which the residual file‑share remains accessible.