In Nextcloud 17 there is the possibility to set up 2FA providers at login. A missing check allows the following steps
- Enforce 2FA for all users
- As a user, configure a 2FA provider (via settings or at login)
- Log out
- Log in again (password only)
- When prompted with the earlier set up provider, go to /login/setupchallenge
- Set up another provider that hasn’t been set up before
- You’re logged in
Impact
Bypass a user’s second-factor authentication protection.