ownCloud
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in ownCloud.
By the Year
In 2026 there have been 1 vulnerability in ownCloud with an average score of 9.8 out of ten. Owncloud did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 9.80 |
| 2025 | 0 | 0.00 |
| 2024 | 1 | 0.00 |
| 2023 | 3 | 6.57 |
| 2022 | 5 | 6.58 |
| 2021 | 5 | 6.46 |
| 2020 | 3 | 0.00 |
| 2019 | 2 | 0.00 |
It may take a day or so for new Owncloud vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent ownCloud Security Vulnerabilities
OwnCloud 8.1.8 Username Enumeration via share.php wildcard search
CVE-2019-25337
9.8 - Critical
- February 12, 2026
OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve comprehensive user information.
Side Channel Attack
Owncloud Android App 4.3.1 PassCodeViewModel Priv Escalation
CVE-2024-50657
- November 22, 2024
An issue in Owncloud android apk v.4.3.1 allows a physically proximate attacker to escalate privileges via the PassCodeViewModel class, specifically in the checkPassCodeIsValid method
ownCloud core 10.13.1: unauth file access via pre-signed URLs
CVE-2023-49105
9.8 - Critical
- November 21, 2023
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
authentification
SQLi in ownCloud Android App (v2.21.1, 3.0)
CVE-2023-23948
5.5 - Medium
- February 13, 2023
The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Version 2.21.1 of the ownCloud Android app is vulnerable to SQL injection in `FileContentProvider.kt`. This issue can lead to information disclosure. Two databases, `filelist` and `owncloud_database`, are affected. In version 3.0, the `filelist` database was deprecated. However, injections affecting `owncloud_database` remain relevant as of version 3.0.
SQL Injection
OwnCloud Android App <3.0 Path Traversal & File Write
CVE-2023-24804
4.4 - Medium
- February 13, 2023
The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the apps internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.
Directory traversal
ownCloud 10.11: misconfig renders trusted_domains ineffective, URL spoofing
CVE-2022-43679
5.3 - Medium
- November 10, 2022
The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
CVE-2022-31649
7.5 - High
- June 09, 2022
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
Exposure of Resource to Wrong Sphere
ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.
CVE-2022-25339
5.5 - Medium
- April 07, 2022
ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.
ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.
CVE-2022-25338
6.8 - Medium
- April 07, 2022
ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.
ownCloud owncloud/client before 2.9.2
CVE-2021-44537
7.8 - High
- January 15, 2022
ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution.
Injection
Session fixation on password protected public links in the ownCloud Server before 10.8.0
CVE-2021-35948
5.4 - Medium
- September 07, 2021
Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.
Session Fixation
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.
CVE-2021-35946
9.8 - Critical
- September 07, 2021
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.
Improper Privilege Management
The shareinfo controller in the ownCloud Server before 10.8.0
CVE-2021-35949
5.3 - Medium
- September 07, 2021
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.
AuthZ
The public share controller in the ownCloud server before version 10.8.0
CVE-2021-35947
5.3 - Medium
- September 07, 2021
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.
Generation of Error Message Containing Sensitive Information
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure
CVE-2021-29659
6.5 - Medium
- May 20, 2021
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted
CVE-2015-4715
- February 17, 2020
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2
CVE-2014-2052
- February 11, 2020
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests
CVE-2014-2050
- January 23, 2020
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier
CVE-2013-0202
- December 17, 2019
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier
CVE-2013-0203
- November 22, 2019
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12
CVE-2017-9338
- July 17, 2017
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.
A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars
CVE-2017-9339
- July 17, 2017
A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.
An attacker is logged in as a normal user and
CVE-2017-9340
- July 17, 2017
An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2.
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4
CVE-2016-1501
4.3 - Medium
- January 08, 2016
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.
Information Disclosure
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which
CVE-2016-1500
3.1 - Low
- January 08, 2016
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.
Information Disclosure
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2
CVE-2016-1499
8.5 - High
- January 08, 2016
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php.
Information Disclosure
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2
CVE-2016-1498
6.1 - Medium
- January 08, 2016
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.
XSS
ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might
CVE-2015-5955
- October 29, 2015
ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might allow remote instance administrators to obtain sensitive credential and cookie information by reading authentication headers.
Insufficiently Protected Credentials
Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows
CVE-2015-4716
- October 21, 2015
Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors.
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider
CVE-2015-5954
- October 21, 2015
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.
The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4
CVE-2015-4718
- October 21, 2015
The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file.
The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which
CVE-2015-4717
- October 21, 2015
The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names.
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4
CVE-2015-5953
- October 21, 2015
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder.
XSS
The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3
CVE-2014-9043
- February 04, 2015
The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.
authentification
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3
CVE-2014-9048
- February 04, 2015
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.
Permissions, Privileges, and Access Controls
Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3
CVE-2014-9047
- February 04, 2015
Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors.
The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3
CVE-2014-9046
- February 04, 2015
The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol.
Information Disclosure
The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6
CVE-2014-9045
- February 04, 2015
The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.
authentification
Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3
CVE-2014-9042
- February 04, 2015
Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041.
XSS
The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which
CVE-2014-9041
- February 04, 2015
The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.
Session Riding
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows
CVE-2014-2044
- October 06, 2014
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.
Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4
CVE-2014-4929
- August 20, 2014
Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php.
Directory traversal
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which
CVE-2013-0304
- June 05, 2014
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is.
Unspecified vulnerability in ownCloud Server before 4.0.12
CVE-2013-0302
- June 05, 2014
Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK.
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests
CVE-2014-3836
- June 04, 2014
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors.
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which
CVE-2014-3838
- June 04, 2014
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts.
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8
CVE-2012-5056
- June 04, 2014
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php.
XSS
CRLF injection vulnerability in ownCloud Server before 4.0.8
CVE-2012-5057
- June 04, 2014
CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter.
The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password
CVE-2013-1941
- June 04, 2014
The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack.
Cryptographic Issues
The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which
CVE-2014-3837
- June 04, 2014
The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors.
