Bypass of application specific PIN

The ownCloud Android application does support setting a PIN that has to be provided before the application can be opened. An attacker may remove the PIN by clearing the application data via the Android system settings. By doing that the application information would be removed while the...

Subdomain Validation Bypass - ownCloud

Within the oauth2 app an attacker is able to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker...

Server: Users can mount the local filesystem

Due to an insufficient permission check authenticated users are able to access preview pictures of others users. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

URL manipulation when sharing files via email - ownCloud

Improper handling of URL in sharing notification may allow an authenticated attacker to send an email to another user containing a potentially malicious URL...

Disclosure of sensitive credentials and configuration in containerized deployments - ownCloud

The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment phpinfo. This information includes all the environment variables of the webserver. In containerized deployments, these environment variabl...

Server: Multiple XSS

Multiple stored and reflected XSS have been adressed. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Security lock can be bypassed by changing the system date

Given an attacker has physical access to the device, a faulty timestamp check allowed to bypass the app lock by setting the system date to the past...

Security Notice: Impact of CVE-2026-33634 on ownCloud Build Infrastructure - ownCloud

No customer data was compromised. No source code was altered. The attack affected our build infrastructure only – specifically the systems that produce container images and client binaries. If you are using a build before March 19th, no action is needed If you are using ocis-rolling image conta...

Security Advisory: Credential Theft Incidents - ownCloud

Comprehensive MFA options with administrative controls to enforce policies organization-wide, plus alerts when risky settings are used Embedded network and web application firewalls that are pre-configured and continuously updated—no customer maintenance required Zero-trust architecture with...