Nextcloud Mail
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Nextcloud Mail.
By the Year
In 2026 there have been 0 vulnerabilities in Nextcloud Mail. Nextcloud Mail did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 2 | 0.00 |
| 2023 | 2 | 4.80 |
| 2022 | 1 | 4.30 |
| 2021 | 2 | 4.30 |
| 2020 | 1 | 0.00 |
It may take a day or so for new Nextcloud Mail vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Nextcloud Mail Security Vulnerabilities
Nextcloud Mail Shared File Attachment Vulnerability
CVE-2024-52509
- November 15, 2024
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2.
Authorization
Nextcloud Mail Auto-Configuration Information Disclosure Vulnerability
CVE-2024-52508
- November 15, 2024
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.
Information Disclosure
Nextcloud Mail blind SSRF before 3.02 / 2.2.5 / 1.15.3
CVE-2023-33184
5.3 - Medium
- May 27, 2023
Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3.
SSRF
Nextcloud Mail internal NET scan via SMTP/IMAP/Sieve CVE-2023-23943 before 1.15/2.2
CVE-2023-23943
4.3 - Medium
- February 06, 2023
Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app.
SSRF
Nextcloud mail is a Mail app for the Nextcloud home server product
CVE-2022-31131
4.3 - Medium
- July 06, 2022
Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com)
Insecure Direct Object Reference / IDOR
Nextcloud Mail is a mail app for Nextcloud
CVE-2021-32707
4.3 - Medium
- July 12, 2021
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.
Nextcloud Mail is a mail app for the Nextcloud platform
CVE-2021-32652
4.3 - Medium
- June 01, 2021
Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds other than the patches are known to exist.
AuthZ
A missing verification of the TLS host in Nextcloud Mail 1.1.3
CVE-2020-8156
- May 12, 2020
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.
Improper Certificate Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Nextcloud Mail or by Nextcloud? Click the Watch button to subscribe.
