Skip to content

Nextcloud: Elasticsearch Cluster Exposed Internal Company Data

The gist: A misconfigured Elasticsearch instance at Nextcloud exposed internal company data, customer contracts, database credentials and employee contacts over an extended period, but was shut down without detected misuse.

Security researchers from Cybernews discovered an unprotected Elasticsearch instance belonging to Nextcloud on 18 May containing 367,000 records totalling 7.9 gigabytes. The exposed database contained customer contracts, invoices and installation scripts.

The Elasticsearch instance had been publicly accessible for an extended period and contained extensive material from Nextcloud’s infrastructure. The largest data type share consisted of PDF documents (approximately 71,000), followed by around 53,000 PNG images and nearly 23,000 Markdown files. Among the unencrypted stored contents were invoices that Nextcloud had issued to customers or received from suppliers, from which email addresses of Nextcloud employees as well as names and addresses of customer companies could be extracted.

Additionally, exposed shell and Python scripts that Nextcloud had created for individual customers for installation on their infrastructure were present – in some cases with hardcoded database credentials. The database also contained email messages in EML format with timestamps, sender and recipient information, as well as lists with full names and business email addresses of beta testers. Business documents included contracts, templates and summaries with information on scope of services, user numbers and contract terms. Among the identified contacts were also individuals at hosting providers such as IONOS and Strato as well as employees of the Education Ministry of North Rhine-Westphalia.

Nextcloud told Cybernews that the cause lay in a misconfiguration of its own hosting infrastructure and was not related to Nextcloud software itself. Servers of customers, partners or other users were not affected. The cluster was shut down two days after notification by the researchers and has been inaccessible to the public since. Nextcloud reported the incident to the responsible state data protection authority. Neither Nextcloud nor the security researchers have found any evidence so far of actual misuse of the exposed data.


Source: www.it-daily.net · Published 8 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.3.

Share on: