- Exposed ElasticSearch cluster at Nextcloud contained ~367k records (8GB), including employee data, client contracts, and scripts
- Sensitive information such as staff emails and client company details was left unencrypted; Nextcloud secured the archive within two days after notification
- Company attributed the incident to hosting misconfiguration, stressing customer servers were unaffected, though researchers warn attackers may have accessed the data
European cloud provider Nextcloud kept an unprotected database on the public internet, exposing sensitive internal and client data to anyone who knew where to look, experts have revealed.
Nextcloud is a free, open source platform that lets users create their own private cloud. It is often described as an alternative to Google Drive, or Microsoft 365, which allows users to control where their data sits.
In mid-May 2026, security researchers from Cybernews discovered a publicly exposed ElasticSearch cluster and, after a deeper investigation, determined it contained around 367,000 records (8GB of data in total). The archive was a mix of Nextcloud employee data, client company data, contracts, and scripts built for the company’s clients.
Nextcloud reacts
The majority of files were in .PDF format (71k), followed by .PNG (53k) and .MD (23k). All of the exposed records were found in a single index, with some revealing client company information, as well as data on Nextcloud staff. Some of the information was unencrypted, as well, exposing employee email addresses, client company names and addresses, and emails of individuals who sent invoices to Nextcloud.
Cybernews reached out to Nextcloud and the company locked the archive down within two days, and notified relevant authorities. It says it found no evidence of unauthorized access, but without a deep forensic analysis, it is impossible to say if that really is the case.
“If our team managed to discover the exposed dataset, threat actors may have too,” the Cybernews team wrote. “Malicious attackers operate numerous bots on the web that scour the net looking for exactly that: misconfigured databases with data to steal.”
The company also said this was a misconfiguration issue and that its services are secure: “The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issue,” the company’s spokesperson told the researchers.
