Medium
resolved
resolved
Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)
Bug reported by msat was disclosed at May 21, 2026, 10:12 pm | Improper Access Control - Generic
A security inconsistency was identified in the user_oidc app where group-based login restrictions were enforced in the browser OIDC flow but not in bearer token validation. This could have allowed users outside whitelisted groups to access the Nextcloud API with a valid bearer token.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
