Blind SSRF via server URL input in the Nextcloud Mail app
Description
Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Mail app allows blind SSRF via SMTP, IMAP, and Sieve host fields, enabling internal network scanning.
Vulnerability
The Nextcloud Mail app (versions prior to 1.15.0 and 2.2.2) does not validate the host fields for SMTP, IMAP, and Sieve settings. An authenticated attacker can supply arbitrary hostnames or IP addresses, causing the server to attempt connections to those hosts. This leads to a blind Server-Side Request Forgery (SSRF) vulnerability, allowing the attacker to probe internal services reachable from the Nextcloud server [2]. The fix introduced in pull request #7796 adds host validation [1].
Exploitation
An attacker must be an authenticated Nextcloud user with the ability to configure mail accounts (e.g., via the Mail app settings). The attacker sets the SMTP, IMAP, or Sieve host field to an internal IP address or hostname (e.g., 127.0.0.1, 10.0.0.1, or a service name). When the Nextcloud server attempts to connect to the specified host, the attacker can infer the existence of internal services based on connection success, failure, or timing differences [2]. No user interaction beyond the initial configuration is required.
Impact
Successful exploitation results in blind SSRF, enabling the attacker to scan internal networks and services that are otherwise inaccessible from outside. This can lead to information disclosure about internal infrastructure, such as identifying running services or internal hostnames. The vulnerability does not directly allow code execution or data exfiltration, but it can be used as a stepping stone for further attacks [2].
Mitigation
The vulnerability is fixed in Nextcloud Mail versions 1.15.0 and 2.2.2 [2]. Users should upgrade to these versions or later. The only known workaround is to completely disable the Nextcloud Mail app until an upgrade can be applied [2]. No evidence of inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog was found in the available references.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nextcloud/security-advisoriesv5Range: >= 2.0.0, < 2.2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/nextcloud/mail/pull/7796mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-8gcx-r739-9pf6mitrex_refsource_CONFIRM
- hackerone.com/reports/1736390mitrex_refsource_MISC
- hackerone.com/reports/1741525mitrex_refsource_MISC
- hackerone.com/reports/1746582mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.