Community | ownCloud | Product | Release | Server

ownCloud Server 11.0.0-rc1: First Release Candidate for the Next Major Version

The first release candidate for ownCloud Server 11 is out. This is the release that surfaces breakage: PHP 7 support dropped, deprecated database and group-management classes removed, major version bumps to Doctrine DBAL and Symfony, subadmin disabled by default. Three security fixes underneath. Do not deploy in production. Do test against your apps and integrations.

This is a release candidate. It is intended for testing only and is not suitable for production deployments.
If you run ownCloud Server in a production environment, stay on the latest 10.16.x release until ownCloud Server 11.0.0 reaches general availability.
Refer to “Testing and Compatibility” below to see a list of compatibility tests you should prioritize.

ownCloud Server 11.0.0-rc1 is the first public release candidate for the next major version of the classic ownCloud Server, the PHP-based platform that has been the foundation of self-hosted ownCloud deployments since the project’s beginning.

The headline of this release isn’t a new feature; it’s cleanup: a batch of legacy database and group-management classes that have been deprecated for years are now gone, PHP 7 support has been dropped, and several core dependencies (Symfony, Doctrine DBAL) jump major versions. On top of that, three security fixes address information disclosure and access control issues, and the subadmin feature is now disabled by default. If you maintain apps or integrations against the 10.x internals, this is the release that will surface breakage.

What a Release Candidate Means

An RC1 marks the transition from active development to stabilization. The feature set for 11.0.0 is now frozen: what you see in RC1 is what 11.0.0 GA will contain, modulo any critical fixes discovered during the RC period. Publishing RC1 invites the broader community and enterprise customers to test their installations, verify compatibility with their apps and integrations, and report any remaining issues before GA.

What’s New in ownCloud Server 11

Legacy code removal. ownCloud 11 removes a set of database and group-management classes that have been deprecated for a long time (#41455 and follow-ups #41458, #41462, #41464, #41468):

  • OC_DB and OC_DB_StatementWrapper
  • OC_Group_Backend, OC_Group_Database, and the OC_Group_Interface interface
  • OC_OCS_Result
  • \OCP\DB
  • MDBSchemaWriter, plus MDB2SchemaManager::getDbStructure() and MDB2SchemaManager::generateChangeScript()
  • the OC_User_Interface interface

Any app that still queries the database through OC_DB instead of the modern query builder, or implements the old OC_Group_Interface/OC_User_Interface contracts for a custom backend, will not load on 11.0. This is exactly the kind of break a major version exists to make.

PHP 7 support dropped. The changelog note on switching to phan’s major version 6 code analyzer says it plainly: „now that PHP 7 support has been dropped, we can use the latest release of the phan code analyser“ (#41650). Deployments still running PHP 7.x need to upgrade the PHP runtime before moving to 11.0.

Major dependency bumps. A large dependency refresh landed alongside the PHP 7 drop (#41450 and eleven follow-up PRs), most notably:

  • doctrine/dbal13.9 → 3.10.4 (major version jump)
  • symfony/console, symfony/mailer, symfony/process, symfony/routing, symfony/string, and symfony/translation all moved to the 7.4.x line
  • guzzlehttp/guzzle10.0 → 7.12.3, plus matching bumps to guzzlehttp/promises and guzzlehttp/psr7
  • phpseclib/phpseclib0.49 → 3.0.55, sabre/vobject 4.5.8 → 4.6.0, firebase/php-jwt 7.0.5 → 7.1.0, and smaller updates to pimple/pimple, sabre/event, google/apiclient, google/apiclient-services, and google/auth

Doctrine DBAL 3.x and Symfony 7.x both carry their own breaking changes relative to the versions ownCloud 10.x shipped. Apps that bundle or depend on specific versions of these libraries directly (rather than going through ownCloud’s own abstractions) should be tested against 11.x explicitly.

Subadmin (group-admin) disabled by default. This is technically filed as a security fix but has real behavioral impact: the subadmin feature is now gated behind a new allow_subadmins config flag and is off by default (#41634). See Upgrade Notes below.

Smaller changes:

  • the experimental and unsupported occ db:convert-type command has been removed (#41451)
  • the internet connectivity check now uses a configurable URL, defaulting to an IPv6-compatible independent endpoint instead of an ownCloud-operated one (#41506)
  • Microsoft Office file icons were refreshed to match Microsoft’s cloud storage partner program requirements (#41347)

Security Fixes

  • Sanitized storage connection error messages (#41585). The external storage status handler was returning raw exception messages, including Guzzle cURL error details such as resolved IP addresses and port numbers, in its JSON response. This let authenticated users map internal network topology by probing storage connection states. The full exception is now logged server-side only; clients get a generic message.
  • User enumeration via password reset UI fixed (#41586). The login form only showed a „Reset it?“ link when the detected user’s backend supported password changes, which meant LDAP-backed users produced a different response than non-existent accounts. This allowed unauthenticated enumeration of valid usernames on affected backends. The backend capability check was removed; the reset link now displays uniformly regardless of user existence or backend type.
  • Subadmin (group-admin) feature disabled by default (#41634). The subadmin code path has known security shortcomings, so it is now gated behind a new allow_subadmins system config value, off by default. Deployments that rely on it can opt back in with ‚allow_subadmins‘ => true in php. On upgrade, existing group-admin assignments are preserved in the database but ignored until that flag is set.

Bugfixes

Beyond the security items, this cycle includes a solid batch of PHP 8 compatibility and correctness fixes.
On the PHP 8 front:

  • the encryption storage wrapper no longer tries to access an array offset on false
  • the federation DbHandler handles a null passed to normalizeUrl
  • the user:home:list-dirs / user:home:list-users –all occ commands no longer crash with a TypeError from passing null where IUserManager::search() expects a string (#41630) — both commands now pass an empty string, matching every other caller’s „match all“ convention

Two fixes touch account administration directly:

  • a subadmin using the email-change flow was updating their own address instead of the target user’s due to the verification token being bound to the wrong account (#41574)
  • occ encryption:decrypt-all only walked the regular files folder, leaving files_versions and files_trashbin entries flagged as encrypted, which silently blocked admins from ever running occ encryption:disable even after a successful decrypt (#41623). Decrypt-all now descends into both folders, and the disable command lists any paths still flagged instead of failing with a generic message.

Other notable fixes:

  • a .htaccess rule generated by occ maintenance:update:htaccess was blocking API requests to file paths ending in extensions like .jpg or .json (for example, favoriting a photo via the files API), returning 405 instead of routing through php (#41418)
  • federation health checks failed when a federated server was installed under a subdirectory (#41599)
  • the mail footer signature delimiter was missing its trailing space, which broke RFC 3676 signature-block detection in mail clients (#41364); MIME type mappings were added for several OpenDocument formats (#41648)
  • a dead link to the retired owncloud.com/federation page was removed from the personal federation settings (#41608)
  • a round of JS test isolation fixes also went in to stop shared singleton state from leaking between specs under Jasmine 5’s randomized test ordering (#41616).

Testing and Compatibility

To participate in testing RC1, download the release from GitHub or directly from download.owncloud.com. Set up a test instance that mirrors your production environment, including your app set, LDAP/SSO configuration, external storage connectors, and database, and run through your standard workflows. Report issues in the owncloud/core issue tracker.

Given what actually changed in this cycle, prioritize testing:

  • Any custom or third-party app that references OC_DB, \OCP\DB, OC_Group_Interface, OC_User_Interface, or the removed MDB2SchemaManager methods — these will fail to load on 11.0
  • Your PHP runtime version: confirm you are already on PHP 8.x before attempting the upgrade
  • Subadmin/group-admin workflows, if you use them — they will silently stop functioning until allow_subadmins is set
  • Anything that depends on Doctrine DBAL or Symfony behavior directly, given the major version jumps in both
  • External storage connectors and federation (OCM), where error handling and subdirectory-hosted federation partners changed

Upgrade Notes

  • Set allow_subadmins if you use group-admins. After upgrading, add ‚allow_subadmins‘ => true, to php if any of your admins rely on the subadmin/group-admin role. Existing assignments are not deleted, just ignored, until this is set.
  • Confirm your PHP version before upgrading. PHP 7 is no longer supported in this line; you must be on a supported PHP 8.x release first.
  • Audit custom apps for removed classes. Search your installed apps for references to OC_DB, OC_DB_StatementWrapper, OC_Group_Backend, OC_Group_Database, OC_OCS_Result, \OCP\DB, MDBSchemaWriter, OC_Group_Interface, and OC_User_Interface before upgrading; any hits need to be ported to current APIs first.
  • The experimental occ db:convert-type command is gone. If you were relying on it (it was never a supported migration path), plan an alternative before upgrading.

Timeline

The GA release of ownCloud Server 11.0.0 will follow once RC1 testing is complete and any critical issues are resolved. No specific GA date has been announced at the time of this writing.

Upgrading from 10.16.x

Do not upgrade production systems to 11.0.0-rc1.
For testing, ownCloud Server 11.x is available from the GitHub releases page. Follow the standard ownCloud upgrade procedure as documented in the administration manual, and test the upgrade path thoroughly, including the config and app-compatibility items above, before applying it to any environment that contains real user data.

ownCloud

8. Juli 2026

Read now:

ownCloud Infinite Scale 8.1.0: MFA-Gated Vault Storage Arrives

ownCloud Infinite Scale 8.1.0: MFA-Gated Vault Storage Arrives

oCIS 8.1.0 introduces MFA-gated vault storage as an isolated storage plane: its own provider ID, no public or federated sharing path, MFA propagated end to end, and a UI that makes the distinction obvious. Plus a public-share access control fix and roughly 60 other changes across indexing, LDAP, and connection recovery.

mehr lesen
ownCloud Infinite Scale 8.1.0: MFA-Gated Vault Storage Arrives

The New ownCloud Marketplace: Git Is the App Store

The new ownCloud Marketplace is live. 13 Web Extensions, 42 apps, 324 releases, 36 publishers and counting. Zero backend. Zero database. Zero server-side processing. The Git repository is the source of truth. The catalogue is static JSON. Publishing an app is a pull request. Git is the app store.

mehr lesen
ownCloud Infinite Scale 8.1.0: MFA-Gated Vault Storage Arrives

oCIS MCP Server v1.0.0: Your AI Assistant Just Got a Key to ownCloud

The oCIS MCP Server v1.0.0 is out. An open source bridge between ownCloud Infinite Scale and any MCP-compatible AI assistant: 80 tools across users, spaces, files, shares, federated OCM, and multi-step workflows. Apache 2.0. Self-hosted. The AI works on your authentication, against your infrastructure, with your data staying where it is.

mehr lesen