{"id":"CVE-2023-49790","summary":"App PIN code can be bypassed in Nextcloud Files iOS","details":"The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform. Prior to version 4.9.2, the application can be used without providing the 4 digit PIN code. Nextcloud iOS Files app should be upgraded to 4.9.2 to receive the patch. No known workarounds are available.","aliases":["GHSA-j8g7-88vv-rggv"],"modified":"2026-04-12T06:44:54.314876Z","published":"2023-12-22T16:19:28.440Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-287"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/49xxx/CVE-2023-49790.json"},"references":[{"type":"WEB","url":"https://hackerone.com/reports/2245437"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/49xxx/CVE-2023-49790.json"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j8g7-88vv-rggv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49790"},{"type":"FIX","url":"https://github.com/nextcloud/ios/pull/2665"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/ios","events":[{"introduced":"0"},{"fixed":"2a9b9d80eeef6d3d564b4e0dc07f744b0d88a718"}]}],"versions":["2.17","2.17.2","2.17.7","2.17.8","2.18.1","2.19.3","2.20.1","2.21.0","2.22.1","2.22.5","2.22.6","2.23.7","3.0.10","3.0.11","3.0.12","3.0.14","3.0.15","3.1.0","3.2.0","3.3.0","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.4.5","4.0.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.1.0","4.2.0","4.2.1","4.2.2","4.3.0","4.3.1","4.4.0","4.4.1","4.4.2","4.4.3","4.4.4","4.5.0","4.5.1","4.5.2","4.5.3","4.5.4","4.5.5","4.5.6","4.5.7","4.6.0","4.7.0","4.8.0","4.8.1","4.8.3","4.8.4","4.8.5","4.8.6","4.9.0","4.9.1","v2.23.8","v2.24.0","v2.24.1","v2.24.2","v2.24.3","v2.25.2","v2.25.3","v2.25.4","v2.25.5","v2.25.6","v2.25.7","v2.25.9","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8"],"database_specific":{"vanir_signatures":[{"id":"CVE-2023-49790-47cb16c7","source":"https://github.com/nextcloud/ios/commit/2a9b9d80eeef6d3d564b4e0dc07f744b0d88a718","signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"Widget/Widget-Brinding-header.h"},"digest":{"threshold":0.9,"line_hashes":["289205019596704620420982683311375731514"]}},{"id":"CVE-2023-49790-89825601","source":"https://github.com/nextcloud/ios/commit/2a9b9d80eeef6d3d564b4e0dc07f744b0d88a718","signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"iOSClient/Utility/CCUtility.h"},"digest":{"threshold":0.9,"line_hashes":["112173329753056903180984462876509896245","110945458296116854393824999252860522629","271541081634847873814353017330378646873","139135920270742116834688243540465954183","275332674802083690680798926454885545066","254871343197979509222751983946897532855","123993924388937578691860271658873068748","193090720028766701138294781152324181082","169368724535884785976751269861988387151","150391637519334315455290703188312205045","3835931684407054496780342101117097439","257857448304893024233222584185989740434","6719209182373161526318208923297433781","295688564053313991451685274971777299308","10392441310323031979424611655810653106","97013246760161581707014735183533480320","177892911885412068550180954232718006990","288796905947921996608006327992635015165","107385557575227458309401318652957035857","223109994966252354900487459272629370793","229332709349458681798384420634559884778","190871710824011370664620858850079538727","307020673145089343098187497077483292285","222153032577036595940095882580308294292","211177048055351992004992426423129177335","193567567449671931410639686289372032529","221059062961361345213795155749548380909","240899881459712743497282160149586446078","60708865003726791410067071091406047660","176561128590165218861249330291541941249","309273627049024044471518607284531659682","66778117869771188816697448336147055539","45110134684909902469637707784742979849","282053558237452878570554500714111376349","279651741612988142292639085097949265405","315337689871195740645616320784673873389","206364264092191845615041487025166326763","304060055431396155638126202049184152688","338135370472643215393214840166800479717","216934716994392548905917918929654253098","294749349450924403523887650098891722501","313267271252019076070508800911884234042","186841192750970798057853722708429622719","160939576093470145346166689099747164565","147531562068505776641994534688873590272","223387450727944217538146454319964619161","84374336678802915232499844150402947996","4977121209656986808362321081737801856","335268299954639773934624787116915537212","269401798114076186218165639612221777402","49137040224432205460347085479436673330","9624925151350539646557036952847934746","334294142975749004446672899364091399391","284791082997067989747947600274692788695","184608961169106480920180571885130603335","116208396005085135955441011926175110453","258812771641472526593106845921894538801","106331110546375056376905043630178185288","26962097615939758671456206930506018237","185954393135041120214214337743429045367","76088755911406060877817196485839625001","80398832663506060746591238656078522231","30444566314949698397310798659378245328","51156269626858437043632614269508165448","82513869842454823826724033110054635684","230339673747130192804941682298645350374","335398010861179369105339956855484904606","184358173963615830904210054027134263445","244340498141684254371304911676229014558","215429335746749088140366557316682888242","332082677144451877177545216055919790168","153971042823961770492506172304880905130","42205191060221873777156317340316406760","325595991815258433097118267765653189833","184891180397736718818384170048636585898","247225710257424621174770117887241617355","246775764145507042459332924026029613768","49712783777420249155245905477758488109","200412759541561945089851470804102875984","137373984669688156836974719716534055724","154764024642251786708357555520139736192","48179705602889107456367163511643900911","218329293393749321507958650814264724206","322525640168795801230251398787628428562","285770362095052414946398369059218678988","308899233075760755114662642879812731989","80887532680453137897671228898151760740","300222100050572861253032823558287584193","65821807931344594689084703082962866064","147375765831316345153365385860016429308","80192757548922635954450373929023881788","42746633444067758905948454875401724146","44795090571892193393802459461165940136","55349343015293288797761073251587319563","1582023343770897169701621649756543177","163455051774082527274366970638887847921","101972105364678542607453991903731394911","133630718105775933830591631221168129153","114949687189233510327655215804597358063","26658458059961633171221848184514267284","11885809434945102211642505978809349143","317300270777635271892866159476984890916","148440166730187412207485123088814985117","39891664916248563779807755263421985099","202825971698176428800631922237222711602","150174709750781637976736622739940341114","138819738465312289052142101284388280112","22070653887949721449201282881931670780","331154191908988910579841732827663210599","159030911457440303064137752062934942344","144243943614401566379376329380020597356","209021947775716501970979765295876252874","182044510343390659418035178402752043319","54577941840364493433832235782269598375","271246429202886272231686925791259270505","44088587769752678068368844963114860750","208638291246239761738363648955552766722","59757612953658690914735130445624830028","280329190785354963687716181041678035394","44587688160540642989326784030732241451","252719105674164966192390830841575515873","181623168822566753830699794928535446463","332105826963056237155898730724171564413","192237245962243883688012966784748513499","22416665341350743796827477148416361172","282563367905750360043819575165212891841","232148066323862986543787004789475272286","82307989567367853541341873106384536873","139472773863057234924319373650463237788","71369809427406142781768053213488442595","237239840128610405841106923603739506150","302070286142136761967270729497558959564","113022338600253726578426234919944531437","323929254808124834825352120273696489944","223308951378702138192494680261601123465","292632465406464631009230331274719266778","58970680679042680744148225649153864149","22853308967407143397895100912830588144","340240646383100612922936822348450565745","333422325186838656218430016509024845408","247638744559748229414345937599387557753","117019547191512728827252780399361602481","134536364938054977327428016029278819549"]}},{"id":"CVE-2023-49790-ae5ba6ee","source":"https://github.com/nextcloud/ios/commit/2a9b9d80eeef6d3d564b4e0dc07f744b0d88a718","signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"iOSClient/PushNotification/NCPushNotificationEncryption.h"},"digest":{"threshold":0.9,"line_hashes":["153506089562391721903482851223166524953"]}},{"id":"CVE-2023-49790-c67dd526","source":"https://github.com/nextcloud/ios/commit/2a9b9d80eeef6d3d564b4e0dc07f744b0d88a718","signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"Share/Share-Bridging-Header.h"},"digest":{"threshold":0.9,"line_hashes":["111984409702932655804657089236724611583"]}}],"vanir_signatures_modified":"2026-04-12T06:44:54Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49790.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}