Nextcloud fixes software bug after user reports data collection concerns

Nextcloud, the open-source file hosting service with a reputation for standing firm on user privacy, issued a quick patch this week after there were concerns about suspicious data requests following a recent software update. The problem, initially reported by a Mastodon user, sparked rumors that the company’s software was harvesting user data without permission. But after an internal probe, Nextcloud confirmed that no unauthorized data storage had taken place.

The security alert started as one user reported their server logs showing suspicious activity following a Nextcloud 31.0.0 upgrade. Dutch cybersecurity researcher Tobias Fiebig posted in the thread with Nextcloud director of engineering Andy Scherzinger to see where the problem was coming from. Some thought that a legacy code change had provided a data leak, but additional research indicated something more recent from February of 2025.

Nextcloud engineers found that the issue was the result of a “logic flaw” in the communication between Nextcloud servers and its lookup server, which makes federated file sharing possible. The bug overloaded Nextcloud’s lookup server with traffic by making too many requests for user data. The requests did not store or expose private data but generated a lot of fear in users.

To resolve the problem, Nextcloud disabled its lookup server temporarily and published an instant patch. The company ensured users that their data was safe and that the system never gathered or stored personal data without express permission. Nextcloud also committed to improve its settings, with federated file sharing being opt-in by default in subsequent versions to avoid such problems.

A Nextcloud spokesperson emphasized the firm’s dedication to privacy and openness, stating, “Our investigation confirmed that we did not inappropriately store or leak any user data. We moved swiftly to take down the impacted server and deployed a fix inside hours of the report.” The firm also encouraged users to report security issues via its bug bounty program on HackerOne, which pays a $10,000 reward for confirmed vulnerabilities.

As part of its long-term solution, Nextcloud intends to add more explicit admin warnings and enhance its internal monitoring tools to be able to catch problems early before they become disastrous. The recent release candidate, which includes the required patches, has already been deployed, with the final update imminent.

By immediately addressing user concerns and reinforcing its security policies, Nextcloud guarantees that it will safeguard user data while maintaining its reputation as a privacy-driven cloud platform.