CVE-2022-36075 is a medium-severity vulnerability affecting the Nextcloud Files Access Control app, which is used to manage file access permissions within Nextcloud environments. The flaw involves an exposure of sensitive information (classified under CWE-200) whereby users with limited or restricted access privileges can still view file names in certain scenarios where they should not have such visibility. This leakage of file metadata can potentially reveal sensitive organizational information, such as the existence of confidential files or the structure of file storage, without granting access to the file contents themselves. The vulnerability affects multiple versions of the app: all versions prior to 1.12.2, versions from 1.13.0 up to but not including 1.13.1, and versions from 1.14.0 up to but not including 1.14.1. The issue has been addressed in versions 1.12.2, 1.13.1, and 1.14.1, and upgrading to these versions is strongly recommended. There are no known workarounds, and no exploits have been observed in the wild to date. The vulnerability does not require authentication beyond the limited access users already have, and it does not require user interaction beyond normal use of the app. The exposure is limited to file names, not file contents, which somewhat limits the impact but still represents a privacy and confidentiality risk, especially in environments with sensitive or regulated data. The flaw stems from improper enforcement of access control policies within the app's codebase, allowing unauthorized enumeration of file metadata.

For European organizations, the exposure of file names can have significant privacy and compliance implications, especially under regulations such as the GDPR, which mandates strict controls over personal and sensitive data. Even though file contents are not exposed, file names can reveal project details, client information, or other sensitive operational data that could be leveraged for social engineering, competitive intelligence, or further targeted attacks. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the sensitivity of their data and the regulatory scrutiny they face. Additionally, Nextcloud is widely adopted across Europe as an open-source file sharing and collaboration platform, increasing the potential attack surface. The vulnerability could undermine trust in the confidentiality guarantees of Nextcloud deployments, potentially leading to reputational damage and legal consequences if sensitive information is indirectly disclosed. While no active exploitation is currently known, the presence of this vulnerability could be leveraged by insider threats or attackers who have gained limited access to escalate their reconnaissance capabilities within a compromised environment.

The primary and most effective mitigation is to upgrade the Nextcloud Files Access Control app to the fixed versions 1.12.2, 1.13.1, or 1.14.1 immediately. Organizations should implement a robust patch management process to ensure timely updates of Nextcloud components. Additionally, administrators should audit user permissions and access control policies to minimize exposure, ensuring that users have the least privilege necessary. Monitoring and logging access to file metadata can help detect anomalous behavior indicative of reconnaissance attempts. Network segmentation and multi-factor authentication for Nextcloud access can reduce the risk of unauthorized access. Since no workarounds exist, temporary measures such as disabling the Files Access Control app are not recommended due to potential loss of functionality; instead, focus should be on rapid patch deployment. Finally, organizations should educate users about the sensitivity of file naming conventions and encourage the use of non-descriptive file names where appropriate to reduce information leakage.