Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like [email protected] that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.
Conclusion & alert: CVE-2024-52508 is rated Moderate Risk (50/100): CVSS High severity, with low exploitation likelihood (EPSS 0.70%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.30% | 0.70% | +0.40% |
| 2 | 2026-04-06 | 0.22% | 0.30% | +0.08% |
| 3 | 2026-03-04 | — | 0.22% | — |
Full EPSS history (33 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.2 | 3.1 | HIGH |
|
1.6 | 6.0 | [email protected] |
| 8.1 | 3.1 | HIGH |
|
2.8 | 5.2 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| nextcloud | >= 1.9.0, < 1.14.6 | cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:* | |
| nextcloud | >= 1.15.0, < 1.15.4 | cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:* | |
| nextcloud | >= 2.1.0, < 2.2.11 | cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:* | |
| nextcloud | >= 3.1.0, < 3.6.3 | cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:* | |
| nextcloud | >= 3.7.0, < 3.7.7 | cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:* |
| URL | Tags |
|---|---|
| https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b | Patch |
| https://github.com/nextcloud/mail/pull/9964 | Issue Tracking |
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc | Vendor Advisory |
| https://hackerone.com/reports/2508422 | Issue Tracking |