LogicalBreach Academy

Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute) | Free Bug Bounty Writeup | LogicalBreach Academy

Writeups Cheatsheets Tools Collections Authors Noc Pricing

Back

Insufficiently Protected Credentials (CWE-522)CVSS 4.2Hard

Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute)

hackerone-reports

April 18, 2026

1 views

Save

€235

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3400143 by py0zz1

Summary:

The Nextcloud Desktop Client automatically includes user credentials (Authorization header with username:password in Base64) when downloading files via the directDownloadUrl feature. A malicious Nextcloud server can exploit this by setting directDownloadUrl to an attacker-controlled URL, causing the client to leak credentials to the attacker's server.

Root Cause: The client fails to validate the origin of directDownloadUrl and does not set DontAddCredentialsAttribute for cross-origin requests, allowing HttpCredentialsAccessManager to automatically inject Authorization headers to any URL specified by the server, including attacker-controlled domains.

Technical Details

Vulnerable Code

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

hackerone-reports

€13,553 Documented

Profile →

Discussion

No comments yet.

Be the first to share your thoughts

Premium writeups about bug bounty hunting and web security.
Written by real security researchers.

Navigation

Writeups Cheatsheets Tools Authors Noc Pricing

Contactcontact@logicalbreach.com

RSS FeedPrivacy PolicyTerms of Service