https://github.com/nextcloud/server/issues/33883
When doing a GET request on /ocs/v1.php/cloud/user?format=json
the server returns user data, including one containing the full local server path:
"storageLocation": "/home/bohwaz/www/tmp/nextcloud/data/bohwaz",
This is not a big security issue (as you need to be logged-in to get that response), but this is data that an attacker shouldn’t be able to know easily.
This happens on a brand new install after using the web installer.
Sensitive internal info