Infinite Scale | News | ownCloud | Release | security

ownCloud Infinite Scale 8.1.0: MFA-Gated Vault Storage Arrives

oCIS 8.1.0 introduces MFA-gated vault storage as an isolated storage plane: its own provider ID, no public or federated sharing path, MFA propagated end to end, and a UI that makes the distinction obvious. Plus a public-share access control fix and roughly 60 other changes across indexing, LDAP, and connection recovery.

ownCloud Infinite Scale 8.1.0: MFA-Gated Vault Storage Arrives Alongside a Public-Share Access Control Fix

Released: 2026-07-03  |  Repository: owncloud/ocis  |  Release notes: https://github.com/owncloud/ocis/releases/tag/v8.1.0

What changed?

oCIS 8.1.0:

  • introduces a new vault storage tier that gates access behind multi-factor authentication,
  • closes an access control gap that let public share sessions reach an authenticated user’s signing-key endpoint,
  • rolls in 60+ bugfixes and enhancements across search indexing, LDAP, the NATS JetStream KV store, and the web frontend.

The vault work is the largest single feature arc in this release, touching the storage registry, the graph service, the OCS capabilities endpoint, and the web UI.
The security fix, while narrower in scope, matters to every deployment that uses public share links.

Security

  • Public share sessions could reach a user’s signing-key endpoint (#12332, paired with owncloud/reva#608). The /ocs/v[12].php/cloud/user/signing-key endpoint was reachable through a public share session. This is a broken access control issue: an endpoint intended only for authenticated users could be hit using a public-token scope. The fix removes that endpoint from the set of routes the public-share resource scope in reva is allowed to touch. No CVE identifier is cited in the release notes, but the vulnerability class is authorization bypass on a sensitive credential-adjacent endpoint.
  • X-XSS-Protection header disabled explicitly (#12092). oCIS now sets X-XSS-Protection: 0 to turn off the deprecated browser XSS filter, which is known to introduce its own side-channel vulnerabilities in some browsers. Real XSS mitigation continues to come from the Content-Security-Policy header. This change was driven by a security audit requiring explicit configuration of HTTP security headers per OWASP recommendations.
  • libvips upgraded to 8.18.2 (#12301). All Docker images now ship the patched libvips, closing a stack buffer overflow in the image library used for thumbnail and preview generation (CVE-2026-6491).
  • Dependency bump with an upstream DoS fix (#12325). Beyond routine bumps to reva, edwards25519, and cloudflare/circl, this pulled in shamaton/msgpack v2.4.1, which fixes a denial-of-service CVE in the msgpack library used by reva (CVE-2026-32284).
  • ServiceAccount secrets masked in config output (#12397). Config structs and envvars that can hold secrets are now masked, so a service account credential no longer shows up in config dumps.
  • Web bumped to 12.4.2, pulling a postMessage origin validation fix (owncloud/web#13844). Embed-mode modals in the web frontend now validate the origin of incoming postMessage events before acting on them, closing a cross-origin messaging weakness (Release blogpost).

New Feature: MFA-gated vault storage

The headline feature is a dedicated vault storage tier, built across a cluster of pull requests rather than a single change:

  • Vault storage with MFA-protected access (#12108). A separate storage-users service instance runs in vault mode, serving /vault/users and /vault/projects mount points under a dedicated VaultStorageProviderID. The graph service gains a corresponding vault mode, enabled via OCIS_ENABLE_VAULT_MODE, that serves the vault API under the /vault prefix. The storage registry routes vault-specific requests exclusively to the vault storage provider, which prevents accidental exposure of vault spaces when no explicit storage ID is given in a request. MFA status is propagated through gRPC metadata and forwarded in HTTP headers, including into WOPI and collaboration flows, so office document editors know when a session hasn’t cleared the MFA bar.
  • Capabilities advertisement (#12283, paired with owncloud/reva#584). The OCS capabilities endpoint, controlled by OCIS_ENABLE_VAULT_MODE / FRONTEND_ENABLE_VAULT_MODE on the frontend service, now advertises vault.enabled = true when the feature is on. Clients can query vault-specific capabilities via /ocs/v2.php/cloud/capabilities?vault=true, which reports public and federated sharing as disabled for that context.
  • Public link sharing blocked outright for vault resources (#12321). The graph service now rejects creating, updating, or setting a password on a public link when the target resource lives in the vault storage provider, returning a 400 with the message „public links are not allowed for vault resources.“ This isn’t a UI-level restriction; it’s enforced at the API.
  • Permission and UI gating (#12328, #12329). A new VaultMode.ReadWriteEnabled permission controls visibility of the vault mode switcher in the web UI, assigned to admin, space admin, and user roles but withheld from the user light role. Dedicated vault themes give the vault a visually distinct look from regular drives, so users can’t mistake one for the other.

Together these changes establish vault as an isolated storage plane: its own provider ID, no public or federated sharing path, MFA propagated end to end, and a UI that makes the distinction obvious.

Other enhancements

  • KQL now supports numeric range queries (#12094), and the search index gained an ocis search optimize CLI command (#12136) plus automatic optimization after bulk reindexing (#12104).
  • New blobstore CLI commands were added to the storage-users service (#12102), and admins can now reset IDM service user passwords (#12118).
  • The ocis_full deployment example picked up Keycloak (#12139) and refreshed container images (#12123, #12324).
  • The owncloudsql storage driver option is deprecated (#12486); see upgrade notes below.
  • Web was bumped through 12.3.1 to 12.3.3, and 12.4.0 to 12.4.2, carrying forward a long tail of frontend bugfixes: string escaping on server-returned values, viewport unit fixes for mobile browsers, a fix for the share button breaking when role text is too long, and a Firefox logo rendering bug.

Bugfixes

Two fixes stand out for their operational impact:

  • First, the space management middleware was running its reconciliation logic on every authenticated request, including signed URL requests used for file downloads (#12285). Because signed URL auth carries no OIDC claims, the middleware read that absence as „this user should have no space access“ and stripped the user from every project space. On the next normal OIDC request the user was re-added, producing an oscillating add and remove cycle that caused intermittent download failures and transient „space not found“ errors. The middleware now skips reconciliation entirely when no OIDC claims are present in the request context.
  • Second, the nats-js-kv go-micro store plugin’s hasConn() check only verified that the connection object was non-nil, not that it was actually alive (#12402). Once the underlying NATS client exhausted its reconnect attempts, for example after a NATS pod restart that outlasted the client’s reconnect window, the connection stayed non-nil but permanently closed. Because initialization was gated on !hasConn(), it never re-ran, and every subsequent KV operation failed with a connection-closed error until the affected pod was manually restarted. This surfaced to users as spaces going invisible when storage-usersListStorageSpaces calls failed against the dead connection.

Other notable fixes:

  • search indexing is now more resilient,
  • incomplete Tika extractions no longer permanently block re-indexing (#12095),
  • reindexing uses O(1) document lookups instead of a full search (#12096), and
  • files still mid-postprocessing are correctly skipped rather than indexed prematurely (#12350).
  • Rego policy compilation is now cached instead of recompiled on every authorization check (#12345), which reduces per-request overhead.
  • The CSP no longer blocks the bundled KaTeX font, which had been breaking math rendering under a strict policy (#12070).
  • WOPI lock requests now correctly return 200 OK in read-only and view-only modes (#12257).
  • Education user deletion no longer returns a 404 while silently leaving the LDAP entry behind (#12400).
  • And the long-broken –restart flag on ocis postprocessing resume is fixed; it had a flag name mismatch (retrigger versus restart) that made it silently do nothing (#11692).

Upgrade notes

No breaking changes or required migration steps are called out in the release notes. Two items are worth planning around regardless:

  • The owncloudsql value for STORAGE_USERS_DRIVER is now deprecated. It still works in 8.1.0 but any deployment still on it should plan a move to a supported storage driver before it’s removed in a future release.
  • Vault storage is opt-in, enabled via OCIS_ENABLE_VAULT_MODE and FRONTEND_ENABLE_VAULT_MODE. Deployments that don’t set these flags see no behavioral change.

Deployments using the bundled Docker images should pull the updated images to pick up the libvips 8.18.2 fix, and anyone running the NATS JetStream KV backend behind aggressive pod restart or eviction policies gets the reconnect fix automatically with no configuration change needed.

Wrapping up

8.1.0 is a release where the security fixes and the new vault feature reinforce each other: closing an access control gap on the signing-key endpoint and shipping an MFA-gated, sharing-restricted storage tier both point toward tighter control over who can reach what. Combined with a solid batch of indexing, LDAP, and connection-recovery fixes, this is a release worth applying rather than deferring. Full details, including every linked PR, are in the release notes: https://github.com/owncloud/ocis/releases/tag/v8.1.0.

ownCloud

7. Juli 2026

Read now:

The New ownCloud Marketplace: Git Is the App Store

The New ownCloud Marketplace: Git Is the App Store

The new ownCloud Marketplace is live. 13 Web Extensions, 42 apps, 324 releases, 36 publishers and counting. Zero backend. Zero database. Zero server-side processing. The Git repository is the source of truth. The catalogue is static JSON. Publishing an app is a pull request. Git is the app store.

mehr lesen
The New ownCloud Marketplace: Git Is the App Store

oCIS MCP Server v1.0.0: Your AI Assistant Just Got a Key to ownCloud

The oCIS MCP Server v1.0.0 is out. An open source bridge between ownCloud Infinite Scale and any MCP-compatible AI assistant: 80 tools across users, spaces, files, shares, federated OCM, and multi-step workflows. Apache 2.0. Self-hosted. The AI works on your authentication, against your infrastructure, with your data staying where it is.

mehr lesen
The New ownCloud Marketplace: Git Is the App Store

ownCloud Web 12.4.1 is out

ownCloud Web 12.4.1 ships with a priority fix: an embed mode postMessage vulnerability that let a malicious page forge authenticated file writes without user interaction. If you run embed mode, update. Seven bugfixes round out the release, four of them in vault mode.

mehr lesen