Nextcloud Mail Nextcloud Mail

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Nextcloud Mail.

By the Year

In 2025 there have been 0 vulnerabilities in Nextcloud Mail. Last year, in 2024 Nextcloud Mail had 2 security vulnerabilities published. Right now, Nextcloud Mail is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 2 0.00
2023 1 5.30
2022 1 4.30
2021 2 4.30
2020 1 7.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Nextcloud Mail vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Nextcloud Mail Security Vulnerabilities

Nextcloud Mail Shared File Attachment Vulnerability

CVE-2024-52509 - November 15, 2024

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2.

Authorization

Nextcloud Mail Auto-Configuration Information Disclosure Vulnerability

CVE-2024-52508 - November 15, 2024

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.

Information Disclosure

Nextcloud Mail is a mail app in Nextcloud

CVE-2023-33184 5.3 - Medium - May 27, 2023

Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3.

SSRF

Nextcloud mail is a Mail app for the Nextcloud home server product

CVE-2022-31131 4.3 - Medium - July 06, 2022

Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com)

Insecure Direct Object Reference / IDOR

Nextcloud Mail is a mail app for Nextcloud

CVE-2021-32707 4.3 - Medium - July 12, 2021

Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.

Nextcloud Mail is a mail app for the Nextcloud platform

CVE-2021-32652 4.3 - Medium - June 01, 2021

Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds other than the patches are known to exist.

AuthZ

A missing verification of the TLS host in Nextcloud Mail 1.1.3

CVE-2020-8156 7 - High - May 12, 2020

A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.

Improper Certificate Validation

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Nextcloud Mail or by Nextcloud? Click the Watch button to subscribe.

Nextcloud
Vendor

subscribe