Changelog for ownCloud Web 12.4.1 (2026-06-18)
Summary
- Security - Validate postMessage origin in embed mode modals: #13844
- Bugfix - Add explicit size to space header image: #13822
- Bugfix - Apply vault theme after OIDC callback: #13826
- Bugfix - Gate MFA expiry dialog on vault capability: #13827
- Bugfix - Logo not rendering in Firefox: #13834
- Bugfix - Fix theme switching issues: #13843
- Bugfix - Pass vault parameter to capabilities endpoint: #13867
- Bugfix - Filter notifications by vault mode: #13877
Details
-
Security - Validate postMessage origin in embed mode modals: #13844
We've fixed a cross-site request forgery (CSRF) vulnerability where the embed
mode modals (Save As, Export As PDF and the file picker) processed incoming
postMessageevents without verifying the sender's origin. A malicious page
holding a reference to an authenticated ownCloud window could forge
owncloud-embed:select,owncloud-embed:file-pickorowncloud-embed:cancel
messages and trigger authenticated file writes in the victim's space. Incoming
messages are now validated against an allowlist consisting of the application's
own origin and the optionally configuredembed.messagesOrigin. -
Bugfix - Add explicit size to space header image: #13822
The space header image did not have explicit width and height causing the image
to overflow its container. Adding explicit width and height with values of 100%
makes sure that the image stays within the boundaries of the container. -
Bugfix - Apply vault theme after OIDC callback: #13826
When opening the vault for the first time, the user is redirected to an external
IdP for 2FA. Upon returning, the OIDC callback URL contains no vault context,
causing the regular theme to be applied instead of the vault theme. We now also
check the stored post-login redirect URL during the OIDC callback to correctly
detect vault mode. -
Bugfix - Gate MFA expiry dialog on vault capability: #13827
We've fixed the MFA session expiry warning to only appear when the vault
capability is enabled. Previously, the expiry worker and broadcast channel were
initialized unconditionally, causing the dialog to fire even when vault mode was
off. They are now lazily created only when vault is enabled and a session
duration is configured. -
Bugfix - Logo not rendering in Firefox: #13834
The topbar logo was not visible in Firefox because the SVG files lacked explicit
widthandheightattributes. Firefox requires these attributes to establish
intrinsic dimensions when loading SVGs via<img>; without them it renders the
image as 0×0. Chrome infers the dimensions fromviewBoxalone. -
Bugfix - Fix theme switching issues: #13843
When switching between themes, colors could get stuck or become unreadable until
a page refresh. Empty string values in theme tokens were overriding stylesheet
defaults with nothing, making elements invisible. Additionally, tokens from the
previous theme were not cleared before applying the new theme, causing stale
values to persist. We now remove previous theme properties before applying the
new theme and treat empty token values as unset. We also fixed the cancel button
in the password protected folder modal being invisible because its color matched
the dark action bar background. -
Bugfix - Pass vault parameter to capabilities endpoint: #13867
We've fixed the capabilities request to include the
vault=truequery parameter
when the application is in vault mode. This ensures the backend returns
vault-specific capabilities. The OCS client is now reinitialized with the
correct base URL when vault mode is detected, following the same pattern as the
graph client. -
Bugfix - Filter notifications by vault mode: #13877
We've fixed the notifications panel to only show notifications relevant to the
current mode. Previously, all notifications were shown regardless of whether the
user was in vault or drive mode. Notifications are now filtered so that vault
notifications appear only in vault mode and drive notifications appear only in
drive mode.