Demo Contact
Contact us now 📧︎
Blog & News
05.02.2026 - Updates

OpenCloud developers find high severity vulnerability - patch available

Our security team at OpenCloud has discovered a vulnerability in Public Links and rated it CVSS 8.2 (High). This vulnerability was originally created in the code of ownCloud (Kiteworks) and was also included in the OCIS fork of OpenCloud.

🦣︎ 📧︎
Vulnerability discovered

As is customary in the open source environment, the team informed both CERN and ownCloud (Kiteworks) in advance, whose software is based in part on the same codebase as OpenCloud. This ensured that all affected parties were able to check their codebase and protect customer installations, such as the BayernCloud Schule (ByCS).

Today we are publicising this vulnerability and providing an important patch for OpenCloud.

We handled the discovery in accordance with responsible disclosure principles. Our customers with an Enterprise licence were protected at all times via their subscription. We ensure that every customer is informed and receives the necessary support for rapid protection and updates. Our support team is still available to answer any questions our customers may have.

Affected versions

CVE-2026-23989

All OpenCloud instances below version 4.0.3 and all instances below 5.0.2 are affected. The patched versions are 4.0.3 and 5.0.2.

Security patch available

With the release of the vulnerability today, we are also publishing the patch publicly online. We recommend that you schedule and install the update very immediately to ensure the security of your data.

You can find the current patch version in the advisory

Immediate action until the patch is applied

  • Disable the public links on your instances if you cannot apply the patch immediately.
  • Make the following configuration:
    • Configuration customisation
      • Docker Compose: Edit the docker-compose.yml and set GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT="" (empty string value) in the "environment" section of the "opencloud" container.
      • Kubernetes: Edit the deployment opencloud-api and set name: GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT
        value: "" (empty string)
        in the "env" section of the "spec" of the container "api".
  • Verify that the mitigation is active and perform the following test:
    • Create a public link as a test
    • Open the link in a private (no active login) browser tab.
    • You will see an error page with the message "File not found"
  • Inform your IT team and relevant stakeholders

Patch installation

  • The public patch version is available as of today, 05.02.2026 (can be found in the advisory)
  • Plan your maintenance window, ensure your backups, prepare your test/staging environment
  • Download the patch version 4.0.3
  • Test the patch in your test environment
  • Run the patch installation in the production environment
  • Verify the successful installation
  • Remove the temporary security configuration
  • if necessary. the temporary security configuration

For more information, please also take a look at our release notes and read our blog "Vulnerabilities in the code: Why transparency and enterprise licences provide security"

More news

Vulnerabilities in the code
Updates - 05.02.2026

Vulnerabilities in the code: Why transparency and enterprise licences provide security

read more
Partnership
Updates - 20.01.2026

OpenCloud and CAIRO: IT security and digital sovereignty

read more
FOSDEM 2026
Updates - 16.01.2026

We are at the FOSDEM 2026 in Brussels

read more
🐱︎ 🦣︎ 🦋︎ 📡︎