CVE-2023-49103 Critical Patch Available

CVE-2023-49103: ownCloud graphapi — Sensitive Information Disclosure (CVSS 10.0)

Vuln Brief Research Team · · CVSS 10

CVE Details

CVE ID CVE-2023-49103
CVSS Score 10
Severity Critical
Vendor ownCloud
Product ownCloud (graphapi app)
Patch Status Available
Published April 4, 2026

Background

ownCloud is an open-source file sync and sharing platform, widely used as a self-hosted alternative to commercial cloud storage services. Enterprise ownCloud deployments often contain sensitive documents, personal data, and may be configured to integrate with enterprise identity providers and mail servers. The graphapi app is an optional component that provides Microsoft Graph API compatibility, enabling integration with Microsoft 365 applications.

CVE-2023-49103, disclosed in November 2023, is a CVSS 10.0 information disclosure vulnerability that exposes PHP environment variables — including the ownCloud admin password, mail server credentials, and license keys — to any unauthenticated attacker who knows the URL. The simplicity of the exploit (a single HTTP GET request) and the severity of the disclosed data earned it a perfect CVSS score. CISA added it to the KEV catalogue after confirming active exploitation.

Technical Mechanism

The vulnerability is in the owncloud/apps/graphapi app, which bundles a third-party PHP library called phpinfo.php. This library contains the standard PHP phpinfo() function, which outputs a comprehensive dump of the PHP runtime configuration, including:

  • All PHP environment variables ($_ENV)
  • All PHP server variables ($_SERVER)
  • Loaded PHP modules and their configurations
  • Compilation options and paths
  • All php.ini configuration directives

The graphapi app exposes this phpinfo() output via a publicly accessible URL without any authentication requirement:

# The vulnerable URL — no authentication needed
GET /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php HTTP/1.1
Host: owncloud.target.com

# Response contains complete phpinfo() output, including:
# OWNCLOUD_ADMIN_PASSWORD = [plaintext admin password]
# MAIL_SMTP_PASSWORD = [mail server password]
# OWNCLOUD_LICENSE_KEY = [license key]
# Database credentials (depending on configuration)

The root cause is two-fold:

  1. The phpinfo.php file from a test suite was inadvertently included in the production package distribution
  2. The file is accessible without authentication because the web server serves it directly without routing through ownCloud’s authentication middleware

The admin password exposure is particularly severe: the OWNCLOUD_ADMIN_PASSWORD environment variable is set in containerized ownCloud deployments (Docker/Kubernetes), and when exposed, allows the attacker to log into ownCloud with full administrator access — accessing all files, user accounts, and administrative functions.

Real-World Exploitation Evidence

Active exploitation was confirmed by CISA and multiple security firms:

  • Immediate mass exploitation: Within days of the November 21, 2023 advisory, security researchers observed widespread scanning for the vulnerable URL.
  • Automated exploitation: The simplicity of the exploit (single GET request, no auth) made it trivially automatable; botnets and mass scanners rapidly incorporated it.
  • Credential stuffing followup: Organisations with exposed admin credentials were targeted with follow-on authentication attempts; exposed mail server credentials were used for spam campaigns.
  • Data exfiltration: Threat actors with admin credentials accessed ownCloud instances to exfiltrate stored files and user data.

The vulnerability’s impact was amplified by common Docker-based ownCloud deployments where all sensitive configuration is passed via environment variables — exactly the mechanism that phpinfo() exposes.

Impact Assessment

The chain of impact from CVE-2023-49103 exploitation:

  • Admin credential exposure: If OWNCLOUD_ADMIN_PASSWORD is exposed, attackers have immediate administrator access to the ownCloud instance.
  • Complete file access: ownCloud admins can access all files stored by all users on the platform.
  • Mail server compromise: Exposed SMTP credentials enable sending emails via the organisation’s mail server — useful for phishing and spam.
  • Database access: Depending on configuration, database credentials may also be in the environment.
  • SSO token exposure: If OAuth or SAML credentials are in environment variables, downstream SSO integrations may also be compromised.

Affected Versions

ProductAffected ConditionsRemediation
ownCloud with graphapi < 0.3.0phpinfo.php accessible without authDelete the file; upgrade graphapi to 0.3.0+
ownCloud any versionIf phpinfo.php presentDelete file regardless of graphapi version

The core ownCloud application itself is not affected — only instances with the graphapi app installed and the specific file present.

Note: Disabling the graphapi app does NOT remove the vulnerable file. The file must be explicitly deleted.

Remediation Steps

  1. Delete the vulnerable file immediately:

    # For standard installations
rm /var/www/html/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

# For Docker deployments
docker exec <container_name> rm /var/www/html/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

  2. Upgrade graphapi to 0.3.0+: The updated version removes this file from the distribution.

  3. Assume admin credentials are compromised: If the file was accessible at any point, change the admin password immediately.

  4. Rotate all exposed credentials: Change all passwords that were visible in the phpinfo output:

    • ownCloud admin password
    • Database passwords
    • SMTP/mail server credentials
    • Any API keys or license keys

  5. Configure environment variables securely: In Docker deployments, use Docker secrets or Kubernetes secrets rather than environment variables for sensitive configuration data.

  6. Verify the fix: Confirm the file is deleted by attempting to access it:

    curl -I https://yourowncloud.example.com/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
# Should return 404 after remediation

Detection Guidance

Log sources:

  • ownCloud/Apache/nginx access logs
  • Authentication logs for unexpected admin logins

Exploitation attempt detection:

# Search web server logs for access to the vulnerable file
grep "GetPhpInfo.php" /var/log/apache2/access.log
grep "GetPhpInfo.php" /var/log/nginx/access.log

# Check for 200 responses (successful exploitation)
grep "GetPhpInfo.php" /var/log/apache2/access.log | grep " 200 "

Post-exploitation indicators:

  • Admin logins from previously unseen IP addresses
  • Bulk file downloads or ZIP exports from admin account
  • New user account creation under admin
  • Modified ownCloud sharing settings or user permissions

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ownCloud CVE-2023-49103 phpinfo Disclosure"; flow:established,to_server; http.uri; content:"/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php"; sid:9002491; rev:1;)

Timeline

DateEvent
November 21, 2023ownCloud publishes security advisory
November 21, 2023CISA adds CVE-2023-49103 to KEV catalogue
November 21, 2023Mass scanning for vulnerable URLs begins immediately
November 22, 2023Greynoise reports thousands of unique IPs scanning for the URL
November 2023Active exploitation campaigns confirmed
December 2023Follow-on data exfiltration incidents documented

Tags

owncloudgraphapiinformation-disclosurecredentialscloud-storagecisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco