What happened?
A critical vulnerability has been discovered in Nextcloud's automation app "Flow". A flaw in the underlying Windmill component allows attackers to steal administrator tokens and execute arbitrary code on the server. Since execution typically occurs with root privileges inside the container, a successful compromise puts the entire Nextcloud instance at risk — including all stored files, user accounts, and connected services.
Affected versions are Flow app releases prior to 1.3.0. A patch is available.
Who is affected?
- ▸SMEs hosting Nextcloud as a self-managed collaboration platform
- ▸Users of the "Nextcloud Flow" app (particularly versions before 1.3.0)
- ▸IT service providers in CH/FL operating managed Nextcloud instances for customers
What should you do?
- 1.Immediate update: Update the Flow app to version 1.3.0 or later without delay — via the Nextcloud App Store or CLI (
occ app:update flow). - 2.Workaround: If an immediate update is not feasible, disable the Flow app in the Nextcloud settings and stop all associated Windmill containers.
- 3.Audit: Check whether the file
windmill_users_config.jsonhas already been accessed unauthorised — carefully review access logs of the affected instance. - 4.Hardening: Ensure your Nextcloud instance is configured according to the hardening guidelines — a practical reference is available in the [Nextcloud documentation](https://docs.nextcloud.com/server/32/admin_manual/installation/harden_server.html).
This advisory is for informational purposes. Contact us for a security review of your Nextcloud instance.