CVE-2022-24890 is a vulnerability identified in Nextcloud Talk, a video and audio conferencing application integrated within the Nextcloud platform. The issue affects versions prior to 13.0.5 and 14.0.0. The vulnerability arises from improper permission handling related to webcam access during calls. Specifically, if a call moderator previously enabled a user's webcam and then removed the permission, the moderator can indirectly re-enable the user's webcam by granting permissions again. This behavior leads to unintended exposure of private video streams without explicit user consent at the time of reactivation. The root cause is a flaw in the permission management logic that fails to fully revoke or reset webcam access states when permissions are altered. This vulnerability falls under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that private video data can be accessed by actors who should no longer have permission. There are no known exploits in the wild, and no workarounds have been identified. A patch addressing this issue is available in Nextcloud Talk versions 13.0.5 and 14.0.0, which corrects the permission handling to prevent unauthorized webcam activation. The vulnerability does not require user interaction beyond the moderator’s actions and does not require authentication beyond the moderator role, which is a privileged user within the call context.

For European organizations using Nextcloud Talk versions prior to 13.0.5 or 14.0.0, this vulnerability poses a significant privacy risk. Unauthorized reactivation of webcams can lead to inadvertent disclosure of sensitive visual information, potentially violating GDPR and other data protection regulations. The exposure of private video streams can compromise confidentiality, especially in sectors handling sensitive or classified information such as government, healthcare, legal, and financial institutions. The integrity of user consent is undermined, as users may be unaware their webcam is active again. Although availability is not directly impacted, the trust in the conferencing platform may degrade, affecting operational continuity and user confidence. Since the vulnerability requires a call moderator role, the risk is higher in environments where moderator privileges are broadly assigned or insufficiently controlled. The lack of known exploits reduces immediate risk, but the potential for insider threats or compromised moderator accounts elevates concern. Organizations relying heavily on Nextcloud Talk for internal or external communications should prioritize remediation to prevent privacy breaches and regulatory non-compliance.

1. Immediate upgrade to Nextcloud Talk versions 13.0.5 or 14.0.0 where the vulnerability is patched. 2. Restrict call moderator privileges strictly to trusted personnel and enforce the principle of least privilege to minimize the risk of misuse. 3. Implement monitoring and auditing of call moderator actions, especially changes to user permissions, to detect anomalous behavior. 4. Educate users and moderators about the risk of unauthorized webcam activation and encourage verification of webcam status before and during calls. 5. Where feasible, disable automatic webcam activation features or require explicit user consent each time the webcam is enabled. 6. Review and enhance internal policies regarding video conferencing security and privacy, including incident response plans for potential data exposure. 7. Consider network segmentation and endpoint security controls to limit the impact of any unauthorized access resulting from this vulnerability. 8. Engage with Nextcloud support and security advisories to stay informed about any further updates or related vulnerabilities.