What are the security concerns of a leaked Instance_ID?

I was sharing a log file of a script i was running and i realized after that one of the folders in the appdata directory is named after the nextcloud instance_id.

I feel silly because I’m generally more careful than that.

What are the security implications and should i bother trying to change my instance ID?


I just know that as a user, you don’t do anything with this instance id usually. I suppose internally the client might identify its own server or for federated sharing between server to be independent in case of domain changes or multiple domains.
It is used as salt for the encryption key (server-side encryption): Encryption details — Nextcloud latest Administration Manual latest documentation

Here from the bugtracker, if you look for security bugs that contain the instance id:

I wouldn’t just change the instance id, it could be used for shares, apps might use it and you might break things. If you just started and you want to install again, I’d prefer this.

I hope you have a few starting points, hopefully someone more qualified can give more insight.


As long as you did not expose your passwordsalt, secret and admin uid together with it, nobody can do any harm with the knowledge of your instanceid alone.


1 Like

You don’t have to feel silly. The instanceid is not secret. I can get the instanceid of any nextcloud server from which I know the url, and as you know, the url is not secret, since the instanceid is also used for the assignment of cookies:

# enter an existing nextcloud-URL

# run
curl -Is $URL/status.php | grep -i 'set-cookie: [[:alnum:]]\{12\}=' | awk -F'[ =]' '{print $2}' | sort -u



I wasn’t sure about that. Thanks for the example code :+1:

1 Like