SCARIEST EVER upgrade in my entire life

Hello all

I witnessed the scariest, most frightening upgrade of any system in my 30 years in the field. We have NC 18.0.2 hosted on one of our servers. One of the junior interns was trying to login via web, but all he got instead of the login page was the new update available page. There was no option to login. That is the first sin, but the scary part was that he could just click on update the system without being asked for any username or password. He wasn’t even logged in as himself and even if he did he has the lowest possible permission levels. After the update, everyone could see the login page again.


To summarise:
1 - update was available
2 - no one could login
3 - anyone on the internet could have just pressed the update button and update
4 - no login required

Throughout history wars have started for far less…



The person who is responsible for managing your nextcloud instance installed the update but does not finish the process. To be precise: The files for the next version are in place but that changes are not populated to the database yet.

I always use the cli updater to install updates. Then everything is done in one go. It’s also possible to turn of the web based upgrade if you want to.


Not “REALLLLYYYY”. This was human error at your end.

I always use the command line to upgrade, since it gives better feedback and I can do everything at once, but you had an admin start the upgrade and leave it unfinished. That meant the final step was presented on the web interface to ensure it was completed.

That’s still not a big deal. That doesn’t mean “anyone on the internet could have just pressed the update button”, it means that anyone on the internet could have completed the update, making your Nextcloud instance available again.

So, to summarise:
1 - an update had been started but not completed
2 - no one could login until the update was completed
3 - anyone on the internet could have just pressed a button to finish the update
4 - an admin login was required to start the update, but that admin didn’t finish the update
5 - the update was easily finished, and nothing was damaged, compromised, or lost

This situation is only scary if you don’t understand how any of this works. Regardless, you should slap the admin that did a half-arsed job.


I think even this will be not possible if admin choose to live maintenance mode on and perform CLI update. In this case only maintenance page should be shown to all users and nobody can click “update”.

So basically there are 2 ways of doing updates:

  • For small hosting it could be all done via Web UI as you did, but then some users could face this “update” Button page.
  • Or, for a bigger installation you could:
    • do update via WebUI and then live maintenance mode on to continue with a CLI update.
    • perform whole update process via CLI only with maintenance mode on.
      In both cases nobody via web will see anything except maintenance landing page.
1 Like