PatchSiren cyber security CVE debrief
CVE-2017-5866 Owncloud CVE debrief
CVE-2017-5866 is a low-severity information disclosure issue in ownCloud Server’s E-Mail share dialog autocomplete feature. The flaw affects specific ownCloud releases before the vendor’s fixed versions and allows a remote authenticated user to obtain sensitive information. The NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, reflecting limited confidentiality impact with no integrity or availability impact. The safest response is to upgrade to a patched release.
- Vendor
- Owncloud
- Product
- CVE-2017-5866
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-03
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-03
- Advisory updated
- 2026-05-13
Who should care
ownCloud administrators, security teams, and anyone operating affected ownCloud Server versions should care, especially environments where authenticated users can access the E-Mail share dialog. Even though the issue is rated Medium, it can reveal sensitive data to users who should not see it.
Technical summary
The vulnerability is described as an autocomplete-related information disclosure issue in the E-Mail share dialog. NVD classifies it as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). A remote authenticated attacker can leverage the issue through unspecified vectors to obtain sensitive information. Affected versions listed in the source corpus are ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3.
Defensive priority
Medium. This is not a denial-of-service or code-execution flaw, but it can expose sensitive information to authenticated users. Prioritize patching if the E-Mail share dialog is used in production or if the instance stores high-value shared data.
Recommended defensive actions
- Upgrade ownCloud Server to a fixed release: 8.1.11, 8.2.9, 9.0.7, or 9.1.3, depending on your branch.
- Verify which ownCloud versions are deployed and confirm no affected instances remain exposed.
- Review who can use share-related features and restrict authenticated user access where operationally appropriate until patching is complete.
- Check the vendor advisory for any release-specific guidance and confirm the remediation path for your deployment.
- Treat any unexpected exposure of shared or autocomplete-visible data as a privacy incident and review access logs accordingly.
Evidence notes
Source corpus identifies the issue in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3. NVD lists CVSS 3.0 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N and CWE-200. The CVE was published on 2017-03-03 and the NVD record was modified on 2026-05-13; those dates are used only as record timing context.
Official resources
-
CVE-2017-5866 CVE record
CVE.org
-
CVE-2017-5866 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Published publicly on 2017-03-03. The NVD record was later modified on 2026-05-13; that is a record-update date, not the original disclosure date.