Summary
On March 19, 2026, a critical supply chain attack compromised Aqua Security’s Trivy vulnerability scanner (CVE-2026-33634, CVSS 9.4). This attack affected organizations worldwide that use Trivy in their CI/CD pipelines. ownCloud was among those affected.
The key facts: No customer data was compromised. No source code was altered. The attack affected our build infrastructure only – specifically the systems that produce container images and client binaries. We have contained the incident, but our ability to ship new builds and patches is temporarily suspended.
What Happened
Trivy is a widely-used open source security scanner maintained by Aqua Security. It’s an industry-standard tool used by thousands of projects and companies to scan container images and code for vulnerabilities. On March 19, attackers used previously compromised credentials to inject malicious code into official Trivy releases (v0.69.4 and later), turning a trusted security tool into a vehicle for credential theft.
This is not an ownCloud only vulnerability. Every open source project that uses Trivy in conjunction with an latest open source CI/CD pipeline is potentially affected by this attack. ownCloud happens to be one of them.
Impact on ownCloud
The compromised Trivy version ran in our build environment, which means access credentials for our build and release infrastructure were likely exposed to the attackers. Here’s what that means in practice:
• Source code: Not touched. Not altered. Our code repositories remain intact.
• Build artifacts: Container images and nightly client builds created after March 19 are considered potentially compromised. We have removed all of them from public distribution channels (Docker Hub, quay.io, GitHub, NPMjs).
• Stable releases: Previously published stable releases that pre-date March 19 are unaffected.
• Customer data: No customer-facing systems or customer data were exposed or affected at any point.
• Mobile apps: No new versions were published to iOS or Android app stores since the breach.
Action Required: ocis-rolling Image Users
If you are using the ocis-rolling container image, please contact us immediately at security@owncloud.com The rolling image may have been built during the exposure window and should not be used until further notice. Replace it with a known-good tagged release that pre-dates March 19, 2026.
Current Status and What Comes Next
We’ve taken aggressive containment measures:
• All affected build systems have been shut down or isolated.
• All known-exposed credentials and tokens have been revoked.
• All potentially compromised artifacts have been removed from public repositories.
• Kiteworks has mobilized resources from across the entire group to fast-track the resolution.
What this means for releases: We currently cannot produce any new patches, builds, or releases for any ownCloud product. This includes oCIS, oC10, the desktop client, iOS and Android and their related components. We don’t yet know how long restoration will take. Realistically, we are looking at a delay of several weeks before build infrastructure is fully restored and verified. We understand this impacts promised delivery timelines and we will communicate updated schedules as soon as we have clarity.
We are running a full forensic analysis of all affected systems and simultaneously evaluating alternative build pipelines to restore release capability as quickly as possible.
A Note on Transparency
We believe the open source community deserves honest, timely communication about incidents like these. Supply chain attacks represent one of the most serious threats facing the software ecosystem today. The irony that a security scanning tool was weaponized to attack the very projects it was meant to protect is not lost on us.
References
Aqua Security Advisory: GHSA-69fq-xp46-6x23
CVE Record: CVE-2026-33634
Aqua Security Blog: What You Need to Know
Contact: security@owncloud.com
ownCloud GmbH – a Kiteworks Company