{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "25.0.1"
              },
              {
                "fixed": "25.0.7"
              }
            ]
          },
          "events": [
            {
              "introduced": "73a7196d45713c43ec59902e302ed9ead171f37f"
            },
            {
              "fixed": "12685bc42d5d2d169e2444e5f7388f85cb9c640a"
            }
          ],
          "repo": "https://github.com/nextcloud/photos",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "26.0.0"
              },
              {
                "fixed": "26.0.2"
              }
            ]
          },
          "events": [
            {
              "introduced": "48ce38f3f0cbaa0381fe35e52781fc32181c77e6"
            },
            {
              "fixed": "1b8874478180b55121cb65e3e1de3022701ed712"
            }
          ],
          "repo": "https://github.com/nextcloud/photos",
          "type": "GIT"
        }
      ]
    },
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "25.0.0"
              },
              {
                "fixed": "25.0.7"
              },
              {
                "introduced": "26.0.0"
              },
              {
                "fixed": "26.0.2"
              }
            ]
          },
          "events": [
            {
              "introduced": "20ea9a25353129b56d46951fe7d23939665ab2b2"
            },
            {
              "fixed": "f14c1100ecae34309931be4c51c8d82296ad17d2"
            },
            {
              "introduced": "62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d"
            },
            {
              "fixed": "053cefa373ab62edce8bb69fcfc0d6a5ee6fc3f9"
            }
          ],
          "repo": "https://github.com/nextcloud/server",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-9chh-5prm-wp43"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37314.json"
  },
  "details": "Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.",
  "id": "CVE-2024-37314",
  "modified": "2026-04-01T23:08:00.344127474Z",
  "published": "2024-06-14T15:05:48.284Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1946298"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37314.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37314"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nextcloud/photos/pull/1749"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nextcloud Photos' shared albums have no restriction on photo removal"
}