Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers
Description
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nextcloud Mail auto-config sends account details to attacker-controlled domain when auto-config fails and attacker registers autoconfig.tld.
Vulnerability
The Nextcloud Mail app's auto-configuration feature performs a DNS lookup to discover mail server settings. When a user adds an email account with a domain that does not support auto-configuration (e.g., example.tld), the app attempts to query autoconfig.example.tld. If the domain autoconfig.tld is registered by an attacker, the email account details, including the user's email address and potentially server credentials, are sent to the attacker's server. This affects all versions prior to the fixes listed below. [1][2][3]
Exploitation
An attacker must register the autoconfig.tld domain for the TLD that the victim's email address uses. When a Nextcloud user configures a new mail account with an email address from a domain that lacks auto-configuration, the Nextcloud Mail app sends a DNS query for autoconfig.. If the attacker has registered that domain and set up a server that responds, the user's email details are transmitted to the attacker's server. No user interaction beyond initiating account setup is required. [3]
Impact
Successful exploitation leads to disclosure of the email account details, which may include the email address, server hostname, port, and potentially the password (if transmitted during auto-configuration). The attacker gains access to the email account configuration, enabling them to potentially intercept or redirect email. The compromise occurs at the level of the mail account, not the Nextcloud instance itself. [3]
Mitigation
Users should upgrade the Nextcloud Mail app to one of the fixed versions: 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7, or 4.0.0. These versions include a refactored DNS resolver that prevents querying autoconfig.tld when the domain is a top-level domain (TLD) suffix. No workarounds are available. [1][2][3]
- fix(autoconfig): Refactor DNS query for testing by ChristophWurst · Pull Request #9964 · nextcloud/mail
- Merge pull request #9964 from nextcloud/fix/autoconfig/testable-dns-r… · nextcloud/mail@a84c70e
- Mail auto configurator sends account information to `autoconfig.tld` server when no auto-configuration is possible
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nextcloud/security-advisoriesv5Range: >= 1.9.0, < 1.14.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079bmitrex_refsource_MISC
- github.com/nextcloud/mail/pull/9964mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mcmitrex_refsource_CONFIRM
- hackerone.com/reports/2508422mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.