Changelog for ownCloud Core 10.16.3 (2026-05-22)
The following sections list the changes in ownCloud core 10.16.3 relevant to ownCloud admins and users.
Summary
Security - Update phpseclib to 3.0.52 for CVE-2026-40194: #41529
Security - Restrict AppConfigController read methods to full admins only: #41550
Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: #41559
Bugfix - Prevent mounting local storage if not allowed: #41538
Bugfix - Use the correct user ID when changing email via admin API: #41539
Bugfix - Prevent IDOR in WebDAV comments API: #41558
Details
Security - Update phpseclib to 3.0.52 for CVE-2026-40194: #41529
CVE-2026-40194: Timing attack vulnerability in SSH binary packet processing. Upgraded phpseclib/phpseclib from 3.0.50 to 3.0.52.
https://github.com/owncloud/core/pull/41529 https://github.com/owncloud/core/pull/41541 https://github.com/phpseclib/phpseclib/releases/tag/3.0.51
Security - Restrict AppConfigController read methods to full admins only: #41550
Subadmin users could read all oc_appconfig values including SMTP passwords, LDAP bind credentials, and encryption master keys via the Settings API. Removed @NoAdminRequired from getApps, getKeys, and getValue so that the AdminMiddleware enforces full-admin-only access, consistent with the write methods.
https://github.com/owncloud/core/pull/41550
Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: #41559
CVE-2026-45065: UrlGenerator route-requirement bypass via unanchored regex alternation allowing off-site URL injection. Upgraded symfony/routing from 5.4.48 to 5.4.52.
https://github.com/owncloud/core/pull/41559 https://symfony.com/cve-2026-45065
Bugfix - Prevent mounting local storage if not allowed: #41538
Mounting a local storage was possible if the internal class name was used as backend, despite local storage not allowed to be mounted. This problem is fixed and the local storage can't be mounted if it was explicitly disallowed in the configuration.
https://github.com/owncloud/core/pull/41538
Bugfix - Use the correct user ID when changing email via admin API: #41539
The admin API endpoint for changing a user's email address was incorrectly using the requesting admin's user ID instead of the target user's ID, causing the admin's email to be updated rather than the intended user's.
https://github.com/owncloud/core/pull/41539
Bugfix - Prevent IDOR in WebDAV comments API: #41558
Authenticated users could read, edit, or delete comments on files they have no access to by supplying an arbitrary comment ID in the WebDAV comments endpoint. The fix verifies that a requested comment belongs to the file in the URL before returning it.
https://github.com/owncloud/core/pull/41558
Changelog for ownCloud Core 10.16.1 (2026-02-18)
The following sections list the changes in ownCloud core 10.16.1 relevant to ownCloud admins and users.
Summary
Bugfix - Apply SVG sanitization to all file content before using ImageMagick: #41433
Bugfix - Disallow empty tokens when pairing trusted servers: #41434
Change - Update PHP dependencies: #41408
Enhancement - Add mimetype aliases/mapping for .toml and .ovpn: #41431
Details
Bugfix - Apply SVG sanitization to all file content before using ImageMagick: #41433
Any file content is now sanitized for SVG threats before being processed by ImageMagick, preventing potential security vulnerabilities.
https://github.com/owncloud/core/pull/41433
Bugfix - Disallow empty tokens when pairing trusted servers: #41434
An empty token could be used to pair trusted servers, which is not secure.
https://github.com/owncloud/core/pull/41434
Change - Update PHP dependencies: #41408
The following have been updated: - monolog/monolog (2.10.0 to 2.11.0) - pear/pear-core-minimal (v1.10.16 to v1.10.18) - phpseclib/phpseclib (3.0.47 to 3.0.48) - phpseclib/phpseclib (3.0.46 to 3.0.49) - pimple/pimple (3.5.0 to 3.6.0) - sabre/http (5.1.12 to 5.1.13) - sabre/vobject (4.5.7 to 4.5.8) - symfony/process (5.4.47 to 5.4.51) - theseer/tokenizer (1.2.3 to 1.3.1)
https://github.com/owncloud/core/pull/41408 https://github.com/owncloud/core/pull/41421 https://github.com/owncloud/core/pull/41446
Enhancement - Add mimetype aliases/mapping for .toml and .ovpn: #41431
Mimetype aliases and mapping for .toml and .ovpn files got added.
https://github.com/owncloud/core/pull/41431
