LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CVE DATABASE  /  CVE-2023-49103

CVE-2023-49103

ownCloud graphapi Information Disclosure Vulnerability

CVSS 10 · CRITICAL ⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog

Confirmed exploited in the wild. Added 2023-11-30. Federal remediation due 2023-12-21.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Summary

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

CVSS 3.1 breakdown

Base score10 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack vectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionNONE
ScopeCHANGED
ConfidentialityHIGH
IntegrityHIGH
AvailabilityHIGH

Weakness type (CWE)

Affected products

Owncloud graph api
Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2025-10-31. Always verify against the vendor advisory before acting.

Scroll to Top