Hi Team,
After some testing in nextcloud server, i found Context-dependent access control when i delete workflow at /nextcloud/index.php/settings/user/workflow
the server ask for password confirmation but it can be bypassed if i directly request the delete endpoint.
CDCA is a security mechanism that restricts access to resources based on the context of the request. If CDCA is broken, an attacker can exploit this flaw to gain unauthorized access to resources. This can have serious consequences, such as data breaches, theft of credentials, and denial of service attacks.
[add details for how we can reproduce the issue]
{F2626834}
{F2626842}
DELETE /nextcloud/ocs/v2.php/apps/workflowengine/api/v1/workflows/user/3?format=json
{F2626845}
{F2626858}
https://www.geeksforgeeks.org/how-to-prevent-broken-access-control
bypass password confirmation
delete workflow without password confirmation