ctipilot.ch

Nextcloud GmbH corporate Elasticsearch data exposure (2026)

incident · incident:nextcloud-gmbh-elasticsearch-exposure-2026

Misconfigured, publicly exposed Elasticsearch cluster on Nextcloud GmbH's own hosting infrastructure exposed ~367,000 internal records — invoices, contracts, client setup scripts with hardcoded database credentials, and internal/client email — for ~9 days in May 2026; discovered and disclosed by Cybernews. The open-source Nextcloud software and customer-operated servers were unaffected; exposed contacts included German state ministry MSB NRW (Cybernews/heise, 2026-07-08).

Aliases: Nextcloud data leak

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Elastic Elasticsearch

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-07-10/nextcloud-gmbh-elasticsearch-exposure-msb-nrw · ATT&CK page ↗

Credential Access TA0006

T1552.001Unsecured Credentials: Credentials In Files×1

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Evidence: 2026-07-10/nextcloud-gmbh-elasticsearch-exposure-msb-nrw · ATT&CK page ↗

Story timeline

  1. 2026-07-10Nextcloud GmbH's own hosting infrastructure exposed 367K internal records via a misconfigured public Elasticsearch cluster, including client setup scripts with hardcoded credentials
    active-threatsNextcloud GmbH exposed 367K internal records — client setup scripts with hardcoded DB credentials, a German ministry contact — via open Elasticsearch

Where this entity is cited

  • active-threats1

Source distribution

  • cybernews.com1 (50%)
  • heise.de1 (50%)

Entries about Nextcloud GmbH corporate Elasticsearch data exposure (2026) (1)

2026-07-10 · view entry permalink →

NOTABLE

Nextcloud GmbH's own hosting infrastructure exposed 367K internal records via a misconfigured public Elasticsearch cluster, including client setup scripts with hardcoded credentials

Cybernews researchers discovered a publicly reachable, unauthenticated Elasticsearch cluster — about 7.92 GB across ~367,000 records — belonging to Nextcloud GmbH's own hosting and business infrastructure, not the Nextcloud open-source collaboration software and not any customer-operated Nextcloud server (Cybernews, 2026-07-08). The cluster was reachable from at least 18 May until Nextcloud closed it around 25-27 May 2026. Exposed, and in many cases unencrypted, records included client invoices and contracts (naming partnership terms and contact email addresses), internal and client email with headers and timestamps, beta-feature signup lists, and — the most operationally significant category — shell and Python scripts Nextcloud built to set up and manage its product for clients, some containing hardcoded database credentials (T1552.001). Named exposed parties in the contact data include hosting providers IONOS and STRATO and German government bodies such as North Rhine-Westphalia's Ministry of Schools and Education (MSB NRW). Nextcloud confirmed the root cause as a hosting-infrastructure misconfiguration, said no customer-operated Nextcloud servers were affected, reported the incident to its German data-protection supervisory authority, and states it found no evidence the data was accessed before closure — though an internet-reachable, unauthenticated Elasticsearch index is precisely the target continuously swept by automated internet-wide scanning, so prior undetected access cannot be excluded (heise online, 2026-07-09).

The relevance for this constituency is the supplier context: Nextcloud is actively adopted as a "Euro-Office" sovereign-cloud alternative to Microsoft 365/SharePoint across EU public administration, so vendor-side exposure of client-specific onboarding scripts and hardcoded credentials is a supply-chain-adjacent risk to any public-sector tenant whose material was in the leak.

On May 18th, our research team discovered an exposed dataset containing 367,000 records. An investigation revealed that the cluster, with nearly 8GB of data, contained internal Nextcloud data.

Some records include hardcoded database credentials.

The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issue.

Cybernews 2026-07-08
incident10 Jul 04:36Zmulti-sourceOpen finding ↗