Open source software biz Nextcloud issued fixes to its software this week after bug hunters raised concerns about data collection.
Mastodon user "Niels" was the first to notice some peculiar activity in their Nextcloud server logs after upgrading to version 31.0.0. Almost immediately after upgrading, they voiced concerns that Nextcloud was "enumerating all my local users."
Dutch researcher Tobias Fiebig jumped on the case, and after some back and forth with Andy Scherzinger, Nextcloud's director of engineering, on the GitHub thread, the two dismissed some earlier theories about a four-year-old pull request introducing a data leak bug and realized a February 2025 release changed a default setting, which resulted in requests galore.
For a company that prides itself on giving its customers full control over their data, had the issue involved non-consensual user data collection as first suspected, it could have been a tricky one for Nextcloud to manage reputationally.
Fortunately, after the company's developers looked into it, they confirmed via Scherzinger that Nextcloud never stored user data unless they opted in through their personal settings.
It turns out that the flurry of requests generated by s16.nextcloud.com was due to a "logic issue" affecting the communication between Nextcloud server and its lookup server, which is used for federated sharing.
The issue resulted in unnecessary requests being made by the Nextcloud server to the lookup server. According to Scherzinger's comments on the GitHub thread, it was caused by a change made to clean up user data.
He added: "It would trigger a 'data has changed,' resulting in the Nextcloud server contacting the lookup server. It would send a request for all users who had any of their data ever set to 'published.' Moreover, it would also send a DELETE request for the data of all users with untouched account details since February 2021.
"For each user, the lookup server then follows up with a HTTP request to verify the authenticity of the request. The request leaks the Federated Cloud ID of the user and should use HTTPS when available. This follow-up is also not needed when users have no data on the lookup server, and we will change this logic."
While the Nextcloud team worked behind the scenes on a fix, it disabled the lookup server for all users to prevent excessive logging. It's also continuing to investigate reports from users who say they're unable to delete the user data on the lookup server.
A Nextcloud spokesperson told us they'd acted quickly to squash the bug, receiving the report "on Friday evening, and shutting down the server the report referenced on Saturday morning."
They added: "Our investigation has found that fortunately, the worries of the users expressed in Github and on social media (that an external server had data on their users) were not justified.
"Nextcloud does not and did not store information from user accounts without explicit consent from each individual user, nor was anything mistakenly exposed on our server.
"Luckily there was nothing to abuse here. To avoid alerting 'the baddies' who might abuse the situation we ask our community to report issues responsibly through HackerOne, where we offer a USD 10K bug bounty as motivation. All complex software has bugs, after all, so handling these well is important to us, especially as we are such a privacy-focused, open source project."
In future releases, Nextcloud will be changing the federated file sharing settings to off by default and introducing a warning popup for admins to ensure they know what they're getting themselves into if the setting is changed.
For now, though – just so Nextcloud can get a solid release out quickly – the devs opted for a hard-coded quick fix to disable the feature, per this pull request.
Nextcloud's second release candidate was shipped to users on Tuesday and the team is on track to issue the final release. ®