CVE-2022-29160 is a medium-severity vulnerability affecting the Nextcloud Android client versions prior to 3.19.0. Nextcloud is a widely used self-hosted productivity platform that enables file sharing, collaboration, and synchronization across devices. The Android client stores sensitive user data such as authentication tokens, images, and other user-related details locally on the device. The vulnerability arises from improper access control (CWE-284) in the application's handling of user account deletion. Specifically, when a user account is deleted from the Nextcloud Android app, residual sensitive data remains on the device instead of being securely erased. This leftover data could be accessed or misused by unauthorized parties who gain access to the device or the app's storage, potentially leading to unauthorized access to the former user's account or exposure of private information. The issue was addressed and patched in Nextcloud Android version 3.19.0, which ensures proper deletion of sensitive data upon account removal. No known exploits are currently reported in the wild, and no workarounds exist other than upgrading to the fixed version. The vulnerability does not require user interaction beyond account deletion, and exploitation is limited to scenarios where an attacker has physical or logical access to the affected device or its storage. However, the impact on confidentiality is significant due to the exposure of sensitive tokens and user data, which could lead to account compromise or privacy violations if exploited.

For European organizations using Nextcloud Android clients, especially those managing sensitive or regulated data, this vulnerability poses a risk of data leakage and unauthorized access. Residual tokens and user data left on devices after account deletion could be extracted by malicious insiders, attackers with physical access, or through malware that gains access to the device storage. This could lead to unauthorized access to corporate Nextcloud instances, exposing confidential documents, communications, and user credentials. The impact is particularly critical for sectors with strict data protection requirements such as finance, healthcare, and government agencies within Europe, where GDPR compliance mandates stringent control over personal and sensitive data. Additionally, organizations with mobile workforces relying on Nextcloud Android clients are at higher risk if devices are lost, stolen, or improperly decommissioned without upgrading the app. Although the vulnerability does not affect the core Nextcloud server, the client-side exposure can undermine overall security posture and trust in the platform. The absence of known exploits reduces immediate risk, but the potential for misuse remains until all affected clients are updated.

1. Immediate upgrade of all Nextcloud Android clients to version 3.19.0 or later to ensure the patch is applied and residual sensitive data is properly deleted upon account removal. 2. Implement mobile device management (MDM) policies to enforce app updates and restrict installation of outdated app versions. 3. Enforce device encryption and strong authentication mechanisms (PIN, biometrics) to reduce risk of unauthorized physical access to stored data. 4. Educate users on securely deleting accounts and wiping devices before decommissioning or transfer. 5. Regularly audit and monitor Nextcloud client versions in use across the organization to identify and remediate vulnerable instances. 6. Consider implementing additional endpoint security controls to detect unauthorized access to app storage areas. 7. For highly sensitive environments, consider restricting use of mobile clients or enforcing session timeouts and token revocation policies on the server side to limit token lifespan. 8. Coordinate with Nextcloud administrators to review and tighten server-side access controls and logging to detect suspicious activity potentially stemming from compromised tokens.