Nextcloud: Code smuggling possible through loophole
In Nextcloud Flow, attackers can exploit a security vulnerability to compromise the instance. An update is available.
(Image: heise medien)
In Nextcloud Flow, developers have identified a security vulnerability that could allow attackers to take over and compromise instances. Updated software is available to fix the vulnerability.
With Nextcloud, interested parties and organizations can host their cloud services themselves, independent of tech giants from the US, for example. The software offers online storage space, mail management, calendars, and many familiar services. It can also be expanded with apps for photo management, task planning, notes, or even cookbooks. The component Nextcloud Flow allows Nextcloud to be extended without programming knowledge and routine tasks or workflows to be automated and optimized.
Security vulnerability in Nextcloud Flow
The security vulnerability in Nextcloud Flow, which a security advisory now warns of, narrowly misses the risk classification “critical.” Unauthenticated attackers from the network can find the “SUPERADMIN_SECRET” through an unspecified method and use it to log in as Super-Admin. This allows them to compromise the server within the Flow container and thus read arbitrary files, for example, leak the file “windmill_users_config.json” with the admin token in plain text, and then execute malicious code from the network as the root user within the container (CVSS 8.8, Risk “high”). The security vulnerability in the Windmill framework used is based on a so-called “Path Traversal,” which allows access to files and folders that are not actually intended to be accessed (CVE-2026-29059, CVSS4 6.9, Risk “medium”).
Nextcloud has closed the security vulnerability with Nextcloud Flow 1.3.0. This software version has been available for download and installation since mid-January 2026. IT managers should update to the bug-fixed components as soon as possible, at the latest now. If this is not possible, the recommendation is to deactivate the Flow app and the container.
Videos by heise
c't 3003 took a closer look at Nextcloud last weekend and tried it out as an alternative to Teams, for example.
(dmk)
