Nextcloud releases security scanner to help protect private clouds

Originally published at:

Our job is to help you stay in control over your data. Nextcloud is designed to be the easiest, most secure private cloud available. To keep it safe, it is important to keep your server up to date and we introduce the Nextcloud Private Cloud Security Scanner to help you with that. The results of our analysis have been covered in an article you might have seen in Der Spiegel.

We help you keep your data yours

Last year, Dropbox lost data from 68 Million accounts, and Yahoo famously had data from no less than 1 billion accounts compromised. People who run a private cloud server like Pydio, ownCloud or Nextcloud presumably do so to keep their data from prying eyes. Sadly, privacy means little without security and it is not trivial to keep a server secure.

Frequently, security researchers find new ways to break cryptographic systems or mistakes are found in the software you run. Where many software companies tend to try to hide security issues in their software, only to be exposed when massive dumps of user data are found on the dark web (Yahoo kept its breach secret for 3 years!), Nextcloud strives to be transparent while developing new, innovative security capabilities. The reality is that any complex piece of software has security issues and finding and fixing them is a more effective way of dealing than the Ostrich Method. We pay security researchers up to USD 5000 rather than sueing them or letting their reports fall on deaf ears, a tactic that has been proven to work well. A result is frequent updates with security related fixes.

To help you keep your system up to date, Nextcloud made updating Nextcloud servers super easy. Our new updater notifies system administrators of new versions and once started by them, automatically checks if all dependencies are there, makes a backup and then replaces the files on your server with the new version. We know updating still requires a bit of work and attention, so we keep working on lowering the barrier to an up to date and secure system.

Introducing the Private Cloud Security Scanner

From what people tell us at events and online, we know many servers still are not kept updated. That often comes with big security risks. Some problems in older versions enable an attacker to take over a server completely; others allow unauthorized downloading of some or all of the data on the server! It is the nature of security in software development that running old, un-updated versions is a risk. Also a legal risk, as Europe has strict General Data Protection Regulation.

To help you assess the security of your private cloud server, Nextcloud has developed the Private Cloud Security Scanner. By entering the URL of your server, you can learn if there is a newer version of your private cloud software and what vulnerabilities exist in the one you are currently running. A few simple checks are also done to assess other security settings on your server.

Please note that the scanner merely does a very simple, basic check, inquiring from the server what version it runs and analyze the response. No ‘hacking’ attempt is made, and there are many other things which can be broken that this minimal scan does not see.

Looking on the web

While developing the security scanner we had a look at the state of security of private cloud servers online. Many administrators might not be aware how easy it is to get a list of servers on the web! Services like provide the ability to search for specifics and it is simple to get a list of tens of thousands of instances and look at them.

We quickly realized a VERY large percentage was insecure. Many hundreds of servers had such severe vulnerabilities they could be taken over entirely. Data from thousands can be downloaded trivially and tens of thousands more are vulnerable with only a little bit of work on part of the attacker, like obtaining a sharing link. About two-thirds of the servers we looked at were vulnerable. With an estimated 200K servers out there it extrapolates to a scary large number. We did not feel any better looking at the specific URLs, seeing political parties, hospitals, universities, large corporations and governments in the list of insecure servers.

At this point, we decided we should warn the administrators of these instances. Of course, a blog or tweet would not make much difference as some had not upgraded for years. And publicity could encourage people with more nefarious goals to look at these servers and try to break in. The events around a Drupal vulnerability have shown that, within hours of public disclosure, it might already be too late to patch servers. We discussed trying to reach out directly but thought it wasn’t really our place to contact people directly, many of whom were not even running Nextcloud.

Instead, we looked at what the usual process to follow is when you discover a big security issue like this. That is to alert the security organizations in various countries like the volunteers from the Shadowserver Foundation, the SWITCH Foundation in Switzerland, the BSI in Germany and so on and discuss what to do. They decided to reach out to users with a personal warning, including the results of the scan. This reach-out goes through different channels, depending on country and organization which handles this. Some reach out directly, others go via service providers or other channels. We made sure the security scan would not expose any private data, using unique IDs instead of URLs to present them the results and we kept as quiet as possible on our communication channels about this matter.


The effort has been quite successful. Of the tens of thousands server owners who were informed, over 5% had upgraded already in the first ten days. We noticed that especially the administrators of the more active and heavily used servers responded by upgrading, securing a large number of user accounts.

The outreach through the security organizations in each country went less than perfect, too. Some don’t handle this anywhere near as nice as we’d like to have seen; there was one instance which just emailed the entire list of vulnerable URL’s to its entire customer base. Others did not alert their customers at all. But most did a reasonable job in both making clear the urgency of the issue and protecting the privacy of their users.

But we could only see and contact a subset of the total number of servers out there. Despite our significant efforts, we estimate that there are at least another 50.000 insecure private cloud servers out there we have not been able to warn. This is where, among other things, this blog post comes in: we hope to enlist the community in our efforts to reach out and get as many private cloud servers upgraded as soon as possible to the latest release of whatever software they run, explaining to system administrators how important this is. If needed, you can use information from this blog by Lukas to explain the dangers. And, of course - the article on Der Spiegel.


Nextcloud has been working hard on making it easier to keep your system up to date. We rewrote the update tool for Nextcloud 10, making it easy to use it from the command line in Nextcloud 11 and Nextcloud 12 will no longer disable apps when doing a security update, making the updates less intrusive. More improvements are being worked on. Our ultimate goal is to make updates so seamless they can be done fully automatic without any administrator involvement or downtime. At this moment, we have achieved this on the Nextcloud Box, using Canonical's Snap technology which automates updates entirely. You can read more about that in this whitepaper.

We also plan to improve the security scan. From today you can use it to scan your own server and see what the security state is, and we have already invited other open source private cloud projects to work with us and make it possible to scan their software as well. ownCloud has responded by creating their own scan.

More information

If you are wondering what the dangers are of using an outdated private cloud server, Lukas has written a great analysis of the risks and Spiegel Online has a more political view on what this kind of issues can mean for our society.

If you currently run a private cloud server like ownCloud or Nextcloud you can follow our extensive instructions on how to get updated to a secure release!

If you want to know what this entire private cloud thing is all about, read this article on


We would like to thank everybody who has been helping us reach out to server owners, including Der Spiegel and other press, both for keeping this quiet to give server owners time to upgrade and for helping explain the risks now.

Is it possible to perform this scan with NAT closed environments? :slight_smile:

Haven’t you just :slight_smile:

How to interprete this message?

ah i am stupid… I’ve written http.// instead of https://

1 Like


This tool look awesome, is there some kind of API ?
I explain myself: I’m administrating several Nextcloud instances and I would be very usefull for me either to run a script that check that each instance is up to date and safe or run the scanner on each server periodically and receive a report by e-mail if something should be done.

1 Like

I have a nextcloud instance running with a custom port and custom nextcloud prefix like

When I let the scanner scan this URL it returns:

Scan failed! The scan for the specified domain failed.
Either no Nextcloud or ownCloud can be found there or you tried to scan
too many servers.

could the scanner be adapted so that it can scan it.

That’ll probably need some adjustments by @LukasReschke :wink:


I get the same error as @jakobssystems but hopefully without doing a typo.
I have tried with and without https:// and works.

No vulnerabilities
Thank you for being up to date and caring about ownCloud security. To keep you informed you might want to sign up to our newsletter.

I followed @riegerCLOUD install guide and I use geoip and nginx. Is the server located in Germany? DE should be allowed and I tried to disable geoip but it does not work. Any idea?

is IPv6 supported by the scan? I got an error that no Nextcloud instance was found. Sadly my provider has only DSLite stacks.

1 Like

One of our hosting providers for the scanner doesn’t support IPv6 at the moment. Thus the scanner won’t be able to detect IPv6 hosts.

Did you try to call them and ask for IPv4? I just moved my server from IPv4 only provider to IPv6+DS-Lite, found out about all the problems related to it, called them and instantly got switched to dual stack :smiley:.

Not so far. In their FAQ they refer to a company which sells routers with configured IPv4 tunnel. Thank you for the hint.

The results don’t match for many clients i support. Neither the shown URL nor the domain host_prefix fit.
Most results are obsolete, so my question is how to force a rescan?
If I press the icon for rescan and wait for more than the suggested 5 minutes nothing changed since days.
I would really appreciate any kind of assistance. Thanks in advance. Carsten

After the rescanning, you need a reload (strg + F5)…

By my first try, the Url wich should be was shown as

In my apache conf I had
Alias /owncloud “pathToTheCloudDir”

After commenting this entry out, the test showed me the right url…

So I think the test seeks for “known” urls and the first of it is shown, also if this is not the url of the cloud…

1 Like

Hi Soko, unfortunately STRG+F5 doesn’t solve this behaviour. Nextcloud is based on NGINX and doesn’t point to any subdir since weeks. NGINX and REDIS were restarted several times … what might help?

Yes, I can reproduce your issue, don’t have a solution.

Trying with makes a new scan and ends with no Installation found error…

Scan failed! The scan for the specified domain failed. Either no Nextcloud or ownCloud can be found there or you tried to scan too many servers.

Think nextcloud have to delete the scan from 17/02/20 out of their cache…

@LukasReschke ???

Thx for reproducing and assistance! Hopefully waiting for @LukasReschke :wink:

@LukasReschke: I can’t scan further URLs regarding this instance neither:

I set X-Frame-Options to ALLOW-FROM because of Collabora - maybe the scanner could report the returned header instead of simply complaining that it isn’t set to SAMEORIGIN?

Great idea, thanks for this!

I’ve made the tweaks and want to rescan, but its remembering me :frowning:
How can I rescan please?

Is their an option to clear cache the same as the ssl test website :slight_smile:

Edit: Requested rescan and waited for a while, seemed more than 5 mins, but it didn’t seem to rescan in front of my eyes but in the background? Maybe I am wrong there, but the rescan did occur and an A+

Hopefully there will be some reminders in the gui to rescan if it hasn’t been done for x period of time, so I don’t forget to keep checking it in the future :slight_smile: