- The exposed ElasticSearch cluster at Nextcloud contained ~367,000 records (8GB), including employee data, client contracts and scripts
- Sensitive information such as staff emails and customer company information was left unencrypted; Nextcloud secured the archive within two days of the announcement
- The company attributed the incident to hosting misconfiguration and stressed that customer servers were unaffected, although researchers warn that attackers may have access to the data
European cloud provider Nextcloud stored an unprotected database on the public internet, exposing sensitive internal and client data to anyone who knew where to look, experts have revealed.
Nextcloud is a free, open source platform that lets users create their own private cloud. It is often described as an alternative to Google Drive or Microsoft 365, which allows users to control where their data resides.
By mid-May 2026, security researchers were from Cyber news discovered a publicly exposed ElasticSearch cluster and after a deeper investigation determined that it contained about 367,000 records (8 GB of data in total). The archive was a mix of Nextcloud employee data, client company data, contracts and scripts built for the company’s customers.
Nextcloud reacts
Most files were in .PDF format (71k), followed by .PNG (53k) and .MD (23k). All of the exposed records were found in a single index with some revealing customer company information as well as data about Nextcloud employees. Some of the information was also unencrypted, revealing employee email addresses, client company names and addresses, and emails from people sending invoices to Nextcloud.
Cyber news reached out to Nextcloud, and the company locked down the archive within two days and notified the appropriate authorities. It says it found no evidence of unauthorized access, but without a deep forensic analysis it’s impossible to say if that’s really the case.
“If our team was able to discover the exposed data set, so might threat actors,” he says Cyber news wrote the team. “Malicious attackers operate numerous bots on the web that scour the web looking for exactly that: misconfigured databases with data to steal.”
The company also said that this was a misconfiguration issue and that its services are secure: “The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issue,” the company’s spokesperson told the researchers.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



