2026-07-10 · view entry permalink →
Nextcloud GmbH's own hosting infrastructure exposed 367K internal records via a misconfigured public Elasticsearch cluster, including client setup scripts with hardcoded credentials
Cybernews researchers discovered a publicly reachable, unauthenticated Elasticsearch cluster — about 7.92 GB across ~367,000 records — belonging to Nextcloud GmbH's own hosting and business infrastructure, not the Nextcloud open-source collaboration software and not any customer-operated Nextcloud server (Cybernews, 2026-07-08). The cluster was reachable from at least 18 May until Nextcloud closed it around 25-27 May 2026. Exposed, and in many cases unencrypted, records included client invoices and contracts (naming partnership terms and contact email addresses), internal and client email with headers and timestamps, beta-feature signup lists, and — the most operationally significant category — shell and Python scripts Nextcloud built to set up and manage its product for clients, some containing hardcoded database credentials (T1552.001). Named exposed parties in the contact data include hosting providers IONOS and STRATO and German government bodies such as North Rhine-Westphalia's Ministry of Schools and Education (MSB NRW). Nextcloud confirmed the root cause as a hosting-infrastructure misconfiguration, said no customer-operated Nextcloud servers were affected, reported the incident to its German data-protection supervisory authority, and states it found no evidence the data was accessed before closure — though an internet-reachable, unauthenticated Elasticsearch index is precisely the target continuously swept by automated internet-wide scanning, so prior undetected access cannot be excluded (heise online, 2026-07-09).
The relevance for this constituency is the supplier context: Nextcloud is actively adopted as a "Euro-Office" sovereign-cloud alternative to Microsoft 365/SharePoint across EU public administration, so vendor-side exposure of client-specific onboarding scripts and hardcoded credentials is a supply-chain-adjacent risk to any public-sector tenant whose material was in the leak.
On May 18th, our research team discovered an exposed dataset containing 367,000 records. An investigation revealed that the cluster, with nearly 8GB of data, contained internal Nextcloud data.
Some records include hardcoded database credentials.
The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issue.