An exposed ElasticSearch database at Nextcloud GmbH contained more than 360,000 records, but the company says the incident was limited to its hosting infrastructure and did not affect the open-source software or customer-operated servers.
Nextcloud GmbH, the company behind the open-source collaboration platform Nextcloud, has disclosed a potential data leak after an improperly configured ElasticSearch database containing more than 360,000 entries was found exposed online. The company stressed that the incident was confined to its hosting infrastructure and did not affect the open-source software or customer-operated Nextcloud servers.
According to Nextcloud, the exposure resulted from a hosting infrastructure misconfiguration rather than a vulnerability in the software itself. The approximately 8GB database reportedly contained customer, partner and employee information, along with contracts and scripts for corporate customers.
Security researchers discovered the exposed database on 18 May and notified Nextcloud about a week later. The company closed the exposed database within two days of receiving the report and informed the relevant supervisory authorities.
Cybernews security researchers warned, “If our team could find the exposed data set, then attackers could have done so too.”
Nextcloud said it has found no evidence that the exposed data was abused. “We are not currently aware of any case where the data was misused,” the company said in a statement to heise security. It also reiterated, “Other Nextcloud servers of our customers, partners, or other users are not affected by this problem.”
The incident highlights the distinction between infrastructure security and software security, demonstrating that the open-source Nextcloud codebase and self-hosted deployments remained uncompromised despite the company’s operational misconfiguration.















































































