- The ElasticSearch cluster exposed on Nextcloud contained ~367,000 records (8 GB), including employee data, customer contracts, and scripts.
- Sensitive information, such as staff emails and client company details, was not encrypted; Nextcloud secured the file within two days of notification
- The company attributed the incident to hosting misconfiguration and emphasized that customer servers were not affected, although researchers warn that attackers may have accessed data.
European cloud provider Nextcloud kept an unprotected database on the public Internet, exposing sensitive internal and customer data to anyone who knew where to look, experts revealed.
Nextcloud is a free and open source platform that allows users to create their own private cloud. It is often described as an alternative to Google Drive or Microsoft 365, allowing users to control where their data is located.
In mid-May 2026, security researchers from cyber news discovered a publicly exposed ElasticSearch cluster and, after further investigation, determined that it contained around 367,000 records (8 GB of data in total). The file was a combination of Nextcloud employee data, client company data, contracts, and scripts created for the company’s clients.
Nextcloud reacts
Most files were in .PDF format (71k), followed by .PNG (53k) and .MD (23k). All of the exposed records were found in a single index, and some reveal information about the client’s company as well as data about Nextcloud staff. Some of the information was also unencrypted, exposing employee email addresses, customer company names and addresses, and emails of people who sent invoices to Nextcloud.
cyber news He contacted Nextcloud and the company blocked the file within two days and notified the relevant authorities. It says it found no evidence of unauthorized access, but without deep forensic analysis, it’s impossible to say if that’s actually the case.
“If our team managed to discover the exposed data set, it is possible that the threat actors did too,” he said. cyber news the team wrote. “Malicious attackers operate numerous webbots that scour the network looking for exactly that: misconfigured databases with data to steal.”
The company also said that this was a misconfiguration issue and that its services are secure: “The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issue,” the company spokesperson told investigators.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




