ctipilot.ch
← Back to the live brief
NOTABLEincidentNATOB2

Nextcloud GmbH's own hosting infrastructure exposed 367K internal records via a misconfigured public Elasticsearch cluster, including client setup scripts with hardcoded credentials

discovered 2026-07-10 04:36 UTCrun 2026-07-10T0409Z-intel2 sourcesmulti-source

Cybernews researchers discovered a publicly reachable, unauthenticated Elasticsearch cluster — about 7.92 GB across ~367,000 records — belonging to Nextcloud GmbH's own hosting and business infrastructure, not the Nextcloud open-source collaboration software and not any customer-operated Nextcloud server (Cybernews, 2026-07-08). The cluster was reachable from at least 18 May until Nextcloud closed it around 25-27 May 2026. Exposed, and in many cases unencrypted, records included client invoices and contracts (naming partnership terms and contact email addresses), internal and client email with headers and timestamps, beta-feature signup lists, and — the most operationally significant category — shell and Python scripts Nextcloud built to set up and manage its product for clients, some containing hardcoded database credentials (T1552.001). Named exposed parties in the contact data include hosting providers IONOS and STRATO and German government bodies such as North Rhine-Westphalia's Ministry of Schools and Education (MSB NRW). Nextcloud confirmed the root cause as a hosting-infrastructure misconfiguration, said no customer-operated Nextcloud servers were affected, reported the incident to its German data-protection supervisory authority, and states it found no evidence the data was accessed before closure — though an internet-reachable, unauthenticated Elasticsearch index is precisely the target continuously swept by automated internet-wide scanning, so prior undetected access cannot be excluded (heise online, 2026-07-09).

The relevance for this constituency is the supplier context: Nextcloud is actively adopted as a "Euro-Office" sovereign-cloud alternative to Microsoft 365/SharePoint across EU public administration, so vendor-side exposure of client-specific onboarding scripts and hardcoded credentials is a supply-chain-adjacent risk to any public-sector tenant whose material was in the leak.

On May 18th, our research team discovered an exposed dataset containing 367,000 records. An investigation revealed that the cluster, with nearly 8GB of data, contained internal Nextcloud data.

Some records include hardcoded database credentials.

The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issue.

Cybernews 2026-07-08

Defender actions

  • If your organisation is a Nextcloud GmbH hosting/onboarding client, treat any credentials that appeared in vendor-supplied setup or management scripts as potentially exposed and rotate them, and review whether your deployment architecture was inferable from leaked material.
  • Brief helpdesk and finance staff to scrutinise invoice- or contract-themed emails referencing Nextcloud or its hosting partners (IONOS, STRATO) in the near term — the leaked invoices/contracts are ready-made spearphishing pretext.
  • Audit your own Elasticsearch/OpenSearch estate: bind clusters to internal-only interfaces or a VPC, enable the security/auth plugin (it is off by default on TCP 9200/9300), and add continuous external attack-surface scanning for unauthenticated data/management ports.
  • Treat hardcoded credentials in infrastructure-as-code and setup scripts as a secrets-management finding to remediate regardless of whether the script is ever exposed.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.