Nextcloud Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Nextcloud Server.
By the Year
In 2026 there have been 0 vulnerabilities in Nextcloud Server. Last year, in 2025 Server had 2 security vulnerabilities published. Right now, Server is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 4.30 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.80 |
| 2022 | 2 | 5.30 |
| 2021 | 2 | 6.50 |
| 2020 | 1 | 8.00 |
It may take a day or so for new Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Nextcloud Server Security Vulnerabilities
Nextcloud Server 30.0.0 IDOR via /core/preview fileId
CVE-2025-64011
4.3 - Medium
- December 12, 2025
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.
Insecure Direct Object Reference / IDOR
Nextcloud Server <28.0.13, <29.0.10, <30.0.3: Unprotected share endpoint allows proxy
CVE-2025-47791
- May 16, 2025
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcloud Server 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server 28.0.13, 29.0.10, and 30.0.3. No known workarounds are available.
SSRF
Nextcloud Server CVE202325820: BruteForce Confirm (25.0.4/24.0.10)
CVE-2023-25820
7.8 - High
- March 22, 2023
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud Enterprise Server versions 25.0.x prior to 25.0.4, 24.0.x prior to 24.0.10, 23.0.x prior to 23.0.12.5, 22.x prior to 22.2.0.10, and 21.x prior to 21.0.9.10, when an attacker gets access to an already logged in user session they can then brute force the password on the confirmation endpoint. Nextcloud Server should upgraded to 24.0.10 or 25.0.4 and Nextcloud Enterprise Server should upgraded to 21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10, or 25.0.4 to receive a patch. No known workarounds are available.
Improper Restriction of Excessive Authentication Attempts
Nextcloud Server v<23.0.8/24.0.4 Local Webservice Exposure (CVE-2022-39211)
CVE-2022-39211
5.3 - Medium
- September 16, 2022
Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There are no known workarounds for this issue.
SSRF
Brute-Force Token Leak in Nextcloud Server <=24 via Federated Sharing
CVE-2022-31118
5.3 - Medium
- August 04, 2022
Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.
Improper Restriction of Excessive Authentication Attempts
Nextcloud is an open-source, self-hosted productivity platform
CVE-2021-41179
6.5 - Medium
- October 25, 2021
Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.
Missing Critical Step in Authentication
Nextcloud is an open-source, self-hosted productivity platform
CVE-2021-41178
6.5 - Medium
- October 25, 2021
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.
Unrestricted File Upload
A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.
CVE-2019-15613
8 - High
- February 04, 2020
A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.
Insufficient Verification of Data Authenticity
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Nextcloud Server or by Nextcloud? Click the Watch button to subscribe.
