ownCloud Open source project for data and file sync, share and view

Known Exploited ownCloud Vulnerabilities

The following ownCloud vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2023-49103: ownCloud graphapi Information Disclosure Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 1 vulnerability in ownCloud with an average score of 9.8 out of ten. ownCloud did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.

Recent ownCloud Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2019-25337	Feb 12, 2026	OwnCloud 8.1.8 Username Enumeration via share.php wildcard search OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve comprehensive user information.	Owncloud
CVE-2024-50657	Nov 22, 2024	Owncloud Android App 4.3.1 PassCodeViewModel Priv Escalation An issue in Owncloud android apk v.4.3.1 allows a physically proximate attacker to escalate privileges via the PassCodeViewModel class, specifically in the checkPassCodeIsValid method	Owncloud
CVE-2023-49103	Nov 21, 2023	ownCloud GraphAPI 0.2.x/0.3.x PHPinfo Disclosure An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.	Graph Api
CVE-2023-49104	Nov 21, 2023	owncloud/oauth2 <0.6.1 AllowSubdomains Redirect-URI Bypass An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the attacker.	Oauth2
CVE-2023-49105	Nov 21, 2023	ownCloud core 10.13.1: unauth file access via pre-signed URLs An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.	Owncloud Owncloud Server
CVE-2023-24804	Feb 13, 2023	OwnCloud Android App <3.0 Path Traversal & File Write The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the apps internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.	Owncloud Owncloud Client
CVE-2023-23948	Feb 13, 2023	SQLi in ownCloud Android App (v2.21.1, 3.0) The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Version 2.21.1 of the ownCloud Android app is vulnerable to SQL injection in `FileContentProvider.kt`. This issue can lead to information disclosure. Two databases, `filelist` and `owncloud_database`, are affected. In version 3.0, the `filelist` database was deprecated. However, injections affecting `owncloud_database` remain relevant as of version 3.0.	Owncloud Owncloud Client
CVE-2022-43679	Nov 10, 2022	ownCloud 10.11: misconfig renders trusted_domains ineffective, URL spoofing The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.	Owncloud
CVE-2022-31649	Jun 09, 2022	ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer. ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.	Owncloud
CVE-2022-25339	Apr 07, 2022	ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers. ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.	Owncloud Owncloud Client
CVE-2022-25338	Apr 07, 2022	ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers. ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.	Owncloud Owncloud Client
CVE-2021-44537	Jan 15, 2022	ownCloud owncloud/client before 2.9.2 ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution.	Owncloud Owncloud Desktop Client
CVE-2021-33828	Jan 15, 2022	The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files ( The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have been uploaded to a public share) are supposed to be deleted upon detection.	Files Antivirus
CVE-2021-33827	Jan 15, 2022	The files_antivirus component before 1.0.0 for ownCloud The files_antivirus component before 1.0.0 for ownCloud allows OS Command Injection via the administration settings.	Files Antivirus
CVE-2021-40537	Sep 08, 2021	Server Side Request Forgery (SSRF) vulnerability exists in owncloud/user_ldap < 0.15.4 in the settings of the user_ldap app Server Side Request Forgery (SSRF) vulnerability exists in owncloud/user_ldap < 0.15.4 in the settings of the user_ldap app. Administration role is necessary for exploitation.	User Ldap
CVE-2021-35946	Sep 07, 2021	A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions. A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.	Owncloud
CVE-2021-35948	Sep 07, 2021	Session fixation on password protected public links in the ownCloud Server before 10.8.0 Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.	Owncloud
CVE-2021-35947	Sep 07, 2021	The public share controller in the ownCloud server before version 10.8.0 The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.	Owncloud
CVE-2021-35949	Sep 07, 2021	The shareinfo controller in the ownCloud Server before 10.8.0 The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.	Owncloud
CVE-2021-29659	May 20, 2021	ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.	Owncloud Owncloud Server
CVE-2020-28646	Feb 26, 2021	ownCloud owncloud/client before 2.7 allows DLL Injection ownCloud owncloud/client before 2.7 allows DLL Injection. The desktop client loaded development plugins from certain directories when they were present.	Owncloud Desktop Client
CVE-2020-36248	Feb 19, 2021	The ownCloud application before 2.15 for Android The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.	Owncloud Client
CVE-2020-36250	Feb 19, 2021	In the ownCloud application before 2.15 for Android, the lock protection mechanism In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.	Owncloud Client
CVE-2020-36252	Feb 19, 2021	ownCloud Server 10.x before 10.3.1 ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.	Owncloud Server
CVE-2015-4715	Feb 17, 2020	The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.	Owncloud Owncloud Server
CVE-2014-2052	Feb 11, 2020	Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.	Owncloud Owncloud Server
CVE-2014-2050	Jan 23, 2020	Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.	Owncloud Owncloud Server
CVE-2013-0202	Dec 17, 2019	Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.	Owncloud Server Owncloud
CVE-2013-0203	Nov 22, 2019	Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.	Owncloud Owncloud Server
CVE-2017-9339	Jul 17, 2017	A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.	Owncloud
CVE-2017-9340	Jul 17, 2017	An attacker is logged in as a normal user and An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2.	Owncloud
CVE-2017-9338	Jul 17, 2017	Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12 Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.	Owncloud
CVE-2016-7102	Jan 23, 2017	ownCloud Desktop before 2.2.3 ownCloud Desktop before 2.2.3 allows local users to execute arbitrary code and possibly gain privileges via a Trojan library in a "special path" in the C: drive.	Owncloud Desktop Client
CVE-2016-1500	Jan 08, 2016	ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.	Owncloud Owncloud Server
CVE-2016-1499	Jan 08, 2016	ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php.	Owncloud Owncloud Server
CVE-2016-1498	Jan 08, 2016	Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.	Owncloud Owncloud Server
CVE-2016-1501	Jan 08, 2016	ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.	Owncloud Owncloud Server
CVE-2015-5955	Oct 29, 2015	ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might allow remote instance administrators to obtain sensitive credential and cookie information by reading authentication headers.	Owncloud Owncloud Client
CVE-2015-7699	Oct 26, 2015	The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remote authenticated users to instantiate arbitrary classes and possibly execute arbitrary code via a crafted mount point option, related to "objectstore."	Owncloud Server
CVE-2015-6500	Oct 26, 2015	Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authenticated users to list directory contents and possibly cause a denial of service (CPU consumption) via a .. (dot dot) in the dir parameter to index.php/apps/files/ajax/scan.php.	Owncloud Server
CVE-2015-7298	Oct 26, 2015	ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.	Owncloud Desktop Client
CVE-2015-6670	Oct 26, 2015	ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to apps/calendar/export.php.	Owncloud Server
CVE-2015-4717	Oct 21, 2015	The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names.	Owncloud Owncloud Server
CVE-2015-5954	Oct 21, 2015	The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.	Owncloud Owncloud Server
CVE-2015-4718	Oct 21, 2015	The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file.	Owncloud Owncloud Server
CVE-2015-4716	Oct 21, 2015	Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors.	Owncloud Owncloud Server
CVE-2015-5953	Oct 21, 2015	Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder.	Owncloud Owncloud Server
CVE-2015-3013	May 08, 2015	ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.	Owncloud Server
CVE-2014-9048	Feb 04, 2015	The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.	Owncloud Owncloud Server
CVE-2014-9042	Feb 04, 2015	Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041.	Owncloud Owncloud Server