Password disclosure in log file in Nextcloud Mail App
Description
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Mail logs plaintext passwords to disk when initial setup fails due to misconfiguration, allowing local attackers to access email accounts.
Vulnerability
Nextcloud Mail versions prior to 1.12.1 log user passwords in plaintext to nextcloud.log when the initial account setup fails (e.g., wrong IMAP port). The password is included in the log message when a CouldNotConnectException is caught [1][2]. This occurs regardless of log level, and the log file may be accessible to local users or forwarded to external logging systems.
Exploitation
An attacker with read access to the Nextcloud log file (e.g., via local file inclusion, compromised admin account, or shared hosting) can extract plaintext passwords. The vulnerability is triggered when a user provides incorrect IMAP/SMTP settings during account creation, causing the error to be logged with the password [1]. No authentication is needed beyond log access.
Impact
Successful exploitation yields the victim's email account password. If the same password is reused for the Nextcloud account, full account compromise is possible [3]. The attacker gains the ability to read, send, and delete emails, and potentially pivot to other services.
Mitigation
Upgrade to Nextcloud Mail version 1.12.1, which removes the password from log messages [2][3]. Operators should inspect existing logs and remove any logged passwords. No workaround exists to prevent logging during misconfiguration; only correct setup avoids the error [3].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nextcloud/security-advisoriesv5Range: < 1.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nextcloud/mail/issues/823mitrex_refsource_MISC
- github.com/nextcloud/mail/pull/6488/commits/ab9ade57fbc1f465ffe905248f93f328d638d7e5mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-63m3-w68h-3wjgmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.