Security Notice: Impact of CVE-2026-33634 on ownCloud Build Infrastructure - ownCloud

No customer data was compromised. No source code was altered. The attack affected our build infrastructure only – specifically the systems that produce container images and client binaries. If you are using a build before March 19th, no action is needed If you are using ocis-rolling image conta...

Security Advisory: Credential Theft Incidents - ownCloud

Comprehensive MFA options with administrative controls to enforce policies organization-wide, plus alerts when risky settings are used Embedded network and web application firewalls that are pre-configured and continuously updated—no customer maintenance required Zero-trust architecture with...

Cross-site Request Forgery in diagnostics app - ownCloud

Improper handling of CSRF protection in the diagnostics app in combination with the SameSite-Cookie setting being set to None allows cross site invocation of an admin API...

Insecure Direct Object Reference in external storage - ownCloud

Insecure Direct Object Reference in external storage configuration may allow an authenticated attacker to change configuration of external storage of another user as well as gain access to credentials...

Server-Side Request Forgery in federated sharing API - ownCloud

Server-Side Request Forgery in federated sharing API may allow an unauthenticated attacker to identify internal servers. Furthermore, due to improper timeout handling, the server could be affected by a Denial of Service attack...

URL manipulation when sharing files via email - ownCloud

Improper handling of URL in sharing notification may allow an authenticated attacker to send an email to another user containing a potentially malicious URL...

Improper access control in SVG preview generation - ownCloud

Improper access control in SVG preview generation may allow an authenticated attacker to gain access to other user’s images...

Authentication Bypass Using Pre-signed URLs - ownCloud

Improper validation may allow an attacker to bypass authentication and gain access to users’ files. Prior knowledge of a username and a file path is needed in order to gain access to a certain file...

Denial of Service in Comments API - ownCloud

Insufficient input validation in the Comments Plugin may allow an authenticated attacker to cause a Denial of Service...

Biometric Authentication Bypass - ownCloud

Improper validation in the Biometric authentication process may allow an attacker to bypass that process and gain unauthorized access. This attack requires physical access to the vulnerable device...

Improper Validation in the User Profile Metadata - ownCloud

Improper Validation in the User Profile Metadata may allow an authenticated attacker to edit their own profile in a way that consumes a substantial amount of resources, creating a Denial of Service...

Improper Validation in the User's Avatar Mechanism - ownCloud

Improper Validation in the User’s Avatar Mechanism may allow an authenticated attacker to edit their own profile in a way that consumes a substantial amount of resources, creating a Denial of Service...

Disclosure of sensitive credentials and configuration in containerized deployments - ownCloud

The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment phpinfo. This information includes all the environment variables of the webserver. In containerized deployments, these environment variabl...

Subdomain Validation Bypass - ownCloud

Within the oauth2 app an attacker is able to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker...

WebDAV Api Authentication Bypass using Pre-Signed URLs - ownCloud

It is possible to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured which is the default...

Edit of share permissions causes public links misbehaviour - ownCloud

Changes to the permissions of a share where propagated to public links of child resources...

SQLInjection in FileContentProvider.kt - ownCloud

Due to some insecure code in a exported content provider an attacker with local access could retrieve information from the ownCloud app database through SQL injection...

Insufficient path validation in Android App - ownCloud

Due to missing file path sanitation an attacker could read from and write to the Android app’s internal storage...

URL spoofing in password reset mail - ownCloud

The docker image of the ownCloud server contained a misconfiguration which rendered the ‘trusteddomains’ config useless. This could be abused to spoof the URL in password reset mails...

Information disclosure in settings UI and API responses - ownCloud

The settings page and some API responses of a few ownCloud apps contained plaintext credentials...

Security updates in Desktop Client - ownCloud

Even though there are no known vulnerabilities in the ownCloud desktop client we have updated the QT library which includes the zlib library. This is a preventive measure to make sure the client is not vlunerable to the remote code execution vulnerability in zlib...

Access to internal files through ownCloud Android App - ownCloud

An attacker wich local access to a device with the ownCloud Android app could access internal files of the app...

Access to internal files through ownCloud Android App - ownCloud

An attacker wich local access to a device with the ownCloud Android app could access internal files of the app...

ownCloud Android App lock bypass - ownCloud

An attacker with physical access to the device could bypass the app lock of the ownCloud Android App...

Missing URL validation allowed RCE on the desktop client - ownCloud

A malicious server could achieve remote code execution on the desktop client because of missing validation of URLs. Exploitation required user interaction...

Server Side Request Forgery (SSRF) through user_ldap app - ownCloud

Server Side Request Forgery SSRF vulnerability in the settings of the userldap app. Administration role is necessary for exploitation...

Federated share recipient can increase permissions - ownCloud

The receiver of a federated share could update the permissions granted to the receivers of the share...

Shareinfo url doesn't verify file drop permissions - ownCloud

The permission check for a file drop upload only share could be circumvented by using the shareinfo API. This allowed to see from the files in the filedrop but didn’t allow downloads...

Session fixation on public links - ownCloud

The session cookies were not reset after authenticating for public links...

Full path and username disclosure in public links - ownCloud

By appending certain characters to the query parameters of a public share link an error could be triggered which would display the internal path and username of the share owner...

Upload of malicious files to publicly shared folders - ownCloud

It was possible to upload malicious files to a public share. The malicious files were detected but ended up in a state where they were not deleted...

Arbitrary code execution through admin settings - ownCloud

In the administration settings of the filesantivirus app it was possible to execute arbitrary code...

Authenticated account enumeration in sharing dialog - ownCloud

The sharing dialog implements a user enumeration mitigation to prevent an authenticated user from getting a list of all accounts registered on the instance via the auto-complete dropdown. In the default configuration at least 3 characters of the name or email of the share-receiver “Sharee” must...

DLL injection in the ownCloud Desktop Client - ownCloud

The released desktop client was loading development plugins from certain directories when they were present...

Cross Site Request Forgery in the ocs api

The CSRF token was not properly checked on cookie authenticated requests against the ocs api...

Missing user validation leading to information disclosure

Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root...

Reflected XSS in login page forgot password functionallity

The login page was not properly sanitizing exception messages from the ownCloud server...

Bypassing App Lock (Pattern/Passcode/Fingerprint lock | Android) (oC-SA-2020-003)

Given an attacker has physical access, creating a backup of the ownCloud Android app via adb provides access to the app preferences file. Contained in the file were settings related to the app lock feature such as the pincode/pattern and if the respective lock is active. An attacker could change...

Bypassing File Firewall (oC-SA-2020-002)

Platform: ownCloud Server Versions: n/a Date: 8/3/2020 Risk: Low CVSS v3 Base Score: 1.6 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N CWE ID: CWE-791 CWE Name: Incomplete Filtering of Special Elements...

Files_antivirus doesn't delete virus if uploaded through public link

Risk: low CVSS v3 Base Score: 1.2 CVSS v3 Vector: AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N CWE ID: CWE-280 CWE Name: Improper Handling of Insufficient Permissions or Privileges...

Security lock can be bypassed by changing the system date

Given an attacker has physical access to the device, a faulty timestamp check allowed to bypass the app lock by setting the system date to the past...

Public-Link Password-Bypass via Image-Previews – ownCloud

------- It was possible to access the preview-image of a password-protected public-link. The severity of the issue is reduced to low because the attacker needs to know the public-link hash and the original filename of the image. Affected ----- - owncloud/core v10.4 Action taken -------- Applied...

SSRF in "Add to your ownCloud" functionality – ownCloud

------- It is possible to force the ownCloud server to execute GET requests against a crafted URL on the internal or external network Server Side Request Forgery after receiving a public link-share URL. The criticality of this issue is lowered because the attacker can not see the result of the...

Access to all file-versions of a user as soon as he has one share with the attacker – ownCloud

------- An authenticated attacker can access all versions of all files even unshared as soon as the owner of said files has at least one outgoing share with the attacker. To attacker needs to guess a file-id which is numeric and sequential. Affected ----- - owncloud/core = v10.0.9 - owncloud/core...

Deleting received group share for whole group – ownCloud

------- A group-share recipient can remove the received group share for all group-recipients. No data-loss occurs as the share can be re-created again. Affected ----- - owncloud/core v10.3.0 Action taken -------- Improve permission check when deleting groups...

Deleting received group share for whole group

Platform: ownCloud Server Versions: 10.2.0 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.5 CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CWE ID: 385 CWE Name: Improper Privilege Management...

Public-Link Password-Bypass via Image-Previews - ownCloud security advisory

Platform: ownCloud Server Versions: 10.3 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.1 CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: 284 CWE Name: Improper Access Control...

Access to all file-versions of a user - ownCloud security advisory

Platform: ownCloud Server Versions: 10.3.0 Date: 2/28/2020 Risk: Medium CVSS v3 Base Score: 6.8 CVSS v3 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CWE ID: 648 CWE Name: Incorrect Use of Privileged APIs...

SSRF in “Add to your ownCloud” functionality - security advisory

It is possible to force the ownCloud server to execute GET requests against a crafted URL on the internal or external network Server Side Request Forgery after receiving a public link-share URL. The criticality of this issue is lowered because the attacker can not see the result of the forged...

Possibility to extend internal-share permissions using the API – ownCloud

An Attacker can extend the permission of a received subfolder share using the ocs api. Additional risk exists because the previlege extension is also possible on public-shares. Affected Software ownCloud Server 10.2.1 CVE-2019-???? core/55a29e0aaef5ebb55cf15ce309d7daaea4fb6c06 Action Taken Added...