Create a new mail share with a password by using the OCS endpoint with something like:
curl -u admin:admin -X POST -H “OCS-APIRequest: true” “http://localhost/ocs/v1.php/apps/files_sharing/api/v1/shares?path=welcome.txt&shareType=4&[email protected]&password=plainTextPassword”
Check the last item in the “oc_share” table in the database; the stored password is “plainTextPassword” instead of a hashed version.
Note that the password is properly hashed if the password is autogenerated (https://github.com/nextcloud/server/blob/caff1023ea72bb2ea94130e18a2a6e2ccf819e5f/apps/sharebymail/lib/ShareByMailProvider.php#L236) or if the share is later updated with another password (https://github.com/nextcloud/server/blob/16da29caba1cefa4c0762fae6014d6d2c737ee94/lib/private/Share20/Manager.php#L1085).
An attacker would be able to get the plain text password of a mail share.