ownCloud Web 12.4.1: Embed Mode Security Fix and Vault Polish
ownCloud Web 12.4.1 landed on June 18, 2026. It is a patch release that closes a security vulnerability in embed mode and ships seven bugfixes — most of them centred on the vault feature that has seen heavy development over the past few cycles.
The security fix you should know about
The headline change is a fix for a cross-site scripting-adjacent vulnerability in embed mode modals (#13844). The Save As, Export As PDF and file picker dialogs all listen for incoming postMessage events to coordinate with the host page, but up to 12.4.0 they accepted those messages without checking the sender’s origin. A malicious page that held a reference to an authenticated ownCloud window — for example via window.open() — could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim’s space without any interaction from the user.
The fix validates every incoming message against an allowlist built from the application’s own origin and the optionally configured embed.messagesOrigin value. Deployments using embed mode should treat this as a priority update.
Vault mode gets polished
Four of the seven bugfixes address edge cases in vault mode, which provides a hardened, separately themed workspace within ownCloud Web.
- Vault theme after OIDC callback (#13826): When a user opened vault for the first time and was redirected to an external IdP for 2FA, the post-login redirect back stripped the vault context from the URL. The regular theme was then applied instead of the vault theme. The fix checks the stored post-login redirect URL during the OIDC callback to correctly detect vault mode on return.
- MFA expiry dialog gating (#13827): The MFA session expiry warning was firing even when vault capability was disabled on the server, because the expiry worker and broadcast channel were initialised unconditionally. They are now created lazily, only when vault is enabled and a session duration is configured.
- Capabilities endpoint missing vault parameter (#13867): The capabilities request was not including vault=true in vault mode, so the backend returned generic rather than vault-specific capabilities. The OCS client is now reinitialised with the correct base URL when vault mode is detected.
- Notifications filtered by vault mode (#13877): Notifications are now correctly scoped to the vault context rather than leaking across modes.
Further bugfixes
- Space header image overflow (#13822): The space header image lacked explicit dimensions, causing it to overflow its container. Setting width and height to 100% keeps it within bounds.
- Firefox logo rendering (#13834): The topbar logo was invisible in Firefox because the SVG files had no explicit width and height Firefox requires these to establish intrinsic dimensions when loading an SVG via <img>; Chrome infers them from viewBox alone. Both attributes are now present.
- Theme switching (#13843): Colours could get stuck or turn unreadable after switching themes until a page reload. Empty string token values were overriding stylesheet defaults with nothing, and tokens from the previous theme were not cleared before applying the new one. The fix removes all previous theme properties before applying the incoming theme and treats empty token values as unset.
The cancel button in the password-protected folder modal was also invisible because its colour matched the dark action bar background — that is fixed too.
Getting 12.4.1
The full release, including binaries and checksums, is on GitHub: https://github.com/owncloud/web/releases/tag/v12.4.1
As always, feedback and bug reports are welcome in the issue tracker and the community forums.
