OwncloudCVEs & Vulnerabilities

168 CVEs affecting Owncloud products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

owncloud server 1,361owncloud 181owncloud client 7owncloud desktop client 5files antivirus 3graph api 2user ldap 1guests 1
CVE-2025-59716KEVMEDIUMin the wild

ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user.

11 Apr 2026
5.3
CVSS
CVE-2023-49103KEVHIGHin the wild

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

30 Nov 2023
7.5
CVSS
CVE-2023-49105CRITICAL

An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

22 Nov 2023
9.8
CVSS
CVE-2023-49104MEDIUM

An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the attacker.

22 Nov 2023
6.1
CVSS
CVE-2023-24804MEDIUM

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the app’s internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.

13 Feb 2023
4.4
CVSS
CVE-2023-23948MEDIUM

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Version 2.21.1 of the ownCloud Android app is vulnerable to SQL injection in `FileContentProvider.kt`. This issue can lead to information disclosure. Two databases, `filelist` and `owncloud_database`, are affected. In version 3.0, the `filelist` database was deprecated. However, injections affecting `owncloud_database` remain relevant as of version 3.0.

13 Feb 2023
5.5
CVSS
CVE-2022-43679MEDIUM

The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.

11 Nov 2022
5.3
CVSS
CVE-2022-31649HIGH

ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.

9 Jun 2022
7.5
CVSS
CVE-2022-25339MEDIUM

ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.

7 Apr 2022
5.5
CVSS
CVE-2022-25338MEDIUM

ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.

7 Apr 2022
6.8
CVSS
CVE-2021-44537HIGH

ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution.

16 Jan 2022
7.8
CVSS
CVE-2021-33828HIGH

The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have been uploaded to a public share) are supposed to be deleted upon detection.

16 Jan 2022
8.8
CVSS
CVE-2021-33827HIGH

The files_antivirus component before 1.0.0 for ownCloud allows OS Command Injection via the administration settings.

16 Jan 2022
7.2
CVSS
CVE-2021-40537LOW

Server Side Request Forgery (SSRF) vulnerability exists in owncloud/user_ldap < 0.15.4 in the settings of the user_ldap app. Administration role is necessary for exploitation.

8 Sep 2021
2.7
CVSS
CVE-2021-35948MEDIUM

Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.

7 Sep 2021
5.4
CVSS
CVE-2021-35946CRITICAL

A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.

7 Sep 2021
9.8
CVSS
CVE-2021-35949MEDIUM

The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.

7 Sep 2021
5.3
CVSS
CVE-2021-35947MEDIUM

The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.

7 Sep 2021
5.3
CVSS
CVE-2021-29659MEDIUM

ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.

20 May 2021
6.5
CVSS
CVE-2020-28646HIGH

ownCloud owncloud/client before 2.7 allows DLL Injection. The desktop client loaded development plugins from certain directories when they were present.

26 Feb 2021
7.8
CVSS
CVE-2020-36248MEDIUM

The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.

19 Feb 2021
4.6
CVSS
CVE-2020-36252MEDIUM

ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.

19 Feb 2021
5.7
CVSS
CVE-2020-36251MEDIUM

ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share.

19 Feb 2021
4.3
CVSS
CVE-2020-36250MEDIUM

In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.

19 Feb 2021
4.6
CVSS
CVE-2020-36249HIGH

The File Firewall before 2.8.0 for ownCloud Server does not properly enforce file-type restrictions for public shares.

19 Feb 2021
7.5
CVSS
CVE-2020-10254MEDIUM

An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview.

19 Feb 2021
5.9
CVSS
CVE-2020-10252HIGH

An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack.

19 Feb 2021
8.3
CVSS
CVE-2020-28645CRITICAL

Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions < 10.6.

9 Feb 2021
9.1
CVSS
CVE-2020-28644MEDIUM

The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6.

9 Feb 2021
4.3
CVSS
CVE-2020-16144MEDIUM

When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can upload files, and another user uploads a virus the files antivirus app would detect the virus but fails to delete it due to permission issues. This affects the files_antivirus component versions before 0.15.2 for ownCloud.

9 Feb 2021
5.7
CVSS
CVE-2020-16255MEDIUM

ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'

15 Jan 2021
6.1
CVSS
CVE-2015-4715MEDIUM

The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.

17 Feb 2020
4.9
CVSS
CVE-2014-2052CRITICAL

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

11 Feb 2020
9.8
CVSS
CVE-2014-2050MEDIUM

Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.

23 Jan 2020
6.5
CVSS
CVE-2013-0202MEDIUM

Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.

17 Dec 2019
6.1
CVSS
CVE-2013-0203MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.

22 Nov 2019
5.4
CVSS
CVE-2014-2048CRITICAL

The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.

26 Mar 2018
9.8
CVSS
CVE-2014-1665MEDIUMpoc

Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.

21 Mar 2018
5.4
CVSS
CVE-2017-9340MEDIUM

An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2.

18 Jul 2017
6.5
CVSS
CVE-2017-9339MEDIUM

A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

18 Jul 2017
5.3
CVSS
CVE-2017-9338MEDIUM

Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.

18 Jul 2017
5.4
CVSS
CVE-2017-8896MEDIUM

ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters.

18 Jul 2017
6.1
CVSS
CVE-2016-9468MEDIUM

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

28 Mar 2017
5.3
CVSS
CVE-2016-9467MEDIUM

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

28 Mar 2017
5.3
CVSS
CVE-2016-9466MEDIUM

Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability.

28 Mar 2017
6.1
CVSS
CVE-2016-9465MEDIUM

Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.

28 Mar 2017
5.4
CVSS
CVE-2016-9463HIGH

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.

28 Mar 2017
8.1
CVSS
CVE-2016-9462MEDIUM

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions.

28 Mar 2017
4.3
CVSS
← PrevPage 1 / 4Next →