Nextcloud Exposes 367K Records in Unsecured ElasticSearch Cluster
In mid-May 2026, security researchers from Cybernews uncovered an unprotected ElasticSearch cluster belonging to European cloud provider Nextcloud, exposing approximately 367,000 records (8GB) of sensitive internal and client data. The exposed archive included employee emails, client company details, contracts, and scripts some stored unencrypted leaving information such as staff email addresses, client names, addresses, and invoice-related communications accessible to anyone with knowledge of the cluster’s location.
The majority of the files were PDFs (71,000), followed by PNGs (53,000) and Markdown files (23,000), all housed in a single index. While Nextcloud secured the database within two days of being notified and reported no evidence of unauthorized access, researchers cautioned that malicious actors could have discovered the misconfiguration using automated scanning tools.
Nextcloud attributed the incident to a hosting infrastructure misconfiguration, emphasizing that customer servers remained unaffected and that the breach was unrelated to its core cloud platform. The company also notified relevant authorities but acknowledged that a full forensic analysis would be required to confirm whether data was accessed by third parties. The exposed dataset was part of Nextcloud’s internal operations, not its user-hosted services.
Nextcloud cybersecurity rating report: https://www.rankiteo.com/company/nextcloud-gmbh
"id": "NEX1783601099",
"linkid": "nextcloud-gmbh",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology/Cloud Services',
'location': 'Europe',
'name': 'Nextcloud',
'type': 'Cloud Provider'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Customer servers remained unaffected; breach '
'unrelated to core cloud platform',
'data_breach': {'data_encryption': 'Partial (some data unencrypted)',
'file_types_exposed': ['PDF (71,000)',
'PNG (53,000)',
'Markdown (23,000)'],
'number_of_records_exposed': '367,000',
'personally_identifiable_information': ['Staff email '
'addresses',
'Client names',
'Addresses'],
'sensitivity_of_data': 'High (PII, internal communications)',
'type_of_data_compromised': ['Employee emails',
'Client company details',
'Contracts',
'Scripts',
'Invoice-related '
'communications']},
'date_detected': '2026-05-15',
'description': 'Security researchers from Cybernews uncovered an unprotected '
'ElasticSearch cluster belonging to European cloud provider '
'Nextcloud, exposing approximately 367,000 records (8GB) of '
'sensitive internal and client data. The exposed archive '
'included employee emails, client company details, contracts, '
'and scripts, some stored unencrypted, leaving information '
'such as staff email addresses, client names, addresses, and '
'invoice-related communications accessible to anyone with '
'knowledge of the cluster’s location.',
'impact': {'brand_reputation_impact': 'Potential reputational damage',
'data_compromised': '367,000 records (8GB)',
'identity_theft_risk': 'High (exposed PII)',
'operational_impact': 'Potential unauthorized access to internal '
'and client data',
'systems_affected': 'ElasticSearch cluster'},
'investigation_status': 'Ongoing (forensic analysis required)',
'post_incident_analysis': {'root_causes': 'Hosting infrastructure '
'misconfiguration'},
'references': [{'source': 'Cybernews'}],
'regulatory_compliance': {'regulatory_notifications': 'Notified relevant '
'authorities'},
'response': {'communication_strategy': 'Notified relevant authorities; '
'acknowledged need for forensic '
'analysis',
'containment_measures': 'Secured the database within two days of '
'notification',
'remediation_measures': 'Hosting infrastructure misconfiguration '
'addressed'},
'title': 'Nextcloud Exposes 367K Records in Unsecured ElasticSearch Cluster',
'type': 'Data Exposure',
'vulnerability_exploited': 'Unsecured ElasticSearch cluster'}