Login Sign Up

CVE-2024-52508

8.2 HIGH

📋 TL;DR

This vulnerability in Nextcloud Mail allows email account setup details to be sent to attacker-controlled servers when auto-configuration fails. Attackers can register domains like autoconfig.tld to intercept sensitive email credentials. All Nextcloud Mail users with vulnerable versions are affected.

💻 Affected Systems

Products:
  • Nextcloud Mail
Versions: Versions before 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7, and 4.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users setting up email accounts with domains lacking proper auto-configuration support.

📦 What is this software?

Mail by Nextcloud

View all CVEs affecting Mail →

Mail by Nextcloud

View all CVEs affecting Mail →

Mail by Nextcloud

View all CVEs affecting Mail →

Mail by Nextcloud

View all CVEs affecting Mail →

Mail by Nextcloud

View all CVEs affecting Mail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Email credentials and account details are exfiltrated to attacker-controlled servers, potentially leading to full email account compromise and further attacks.

🟠

Likely Case

Email credentials are leaked to attackers who have registered malicious autoconfig domains, enabling unauthorized email access.

🟢

If Mitigated

With proper patching, no data leakage occurs during email account setup.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires attacker to register malicious autoconfig domains and user to attempt email setup.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7, or 4.0.0

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc

Restart Required: Yes

Instructions:

1. Update Nextcloud Mail app via Nextcloud app store or manual installation. 2. Restart Nextcloud service. 3. Verify version in Nextcloud admin interface.

🔧 Temporary Workarounds

Disable email account setup

all

Temporarily prevent users from setting up new email accounts

Use trusted email providers

all

Only allow email setup with providers known to have proper auto-configuration

🧯 If You Can't Patch

  • Monitor for suspicious autoconfig domain registrations targeting your email domains
  • Implement network monitoring for connections to unknown autoconfig servers during email setup

🔍 How to Verify

Check if Vulnerable:

Check Nextcloud Mail app version in Nextcloud admin interface under Apps section

Check Version:

Check via Nextcloud web interface: Settings → Apps → Mail

Verify Fix Applied:

Verify version is 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7, or 4.0.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Failed email account setup attempts
  • Connections to unusual autoconfig domains

Network Indicators:

  • Outbound connections to autoconfig.* domains during email setup

SIEM Query:

source="nextcloud" AND ("autoconfig" OR "mail setup") AND (error OR failed)

📊 Metadata

CVE ID: CVE-2024-52508
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
CWE: CWE-200
Published: November 15, 2024
Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52508, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)