Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

[CRITICAL] C2: Any user can grant super-user/admin status to any group #327

Description

@rubenvdlinde

Severity: CRITICAL

Location: lib/Controller/SettingsController.php lines 2399–2435 (setOrganizationAdminGroups, setSuperUserGroups, setGenericUserGroups)

Description:
All three group-assignment endpoints are annotated @NoAdminRequired with no further authorisation check. Any authenticated user can promote arbitrary Nextcloud groups to super-user or organisation-admin status.

Scenario:

POST /api/settings/user-groups/super-user
{"groups":["users"]}

Sent as any non-admin user → the entire users group is now marked as super-users.

Suggested fix:

  • Drop @NoAdminRequired from all three endpoints.
  • Add a service-layer isAdmin() guard before persisting group changes.

Source: deep team-reviewer pass 2026-05-27

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions