Releases: owncloud/web
12.4.1
Changelog for ownCloud Web 12.4.1 (2026-06-18)
Summary
- Security - Validate postMessage origin in embed mode modals: #13844
- Bugfix - Add explicit size to space header image: #13822
- Bugfix - Apply vault theme after OIDC callback: #13826
- Bugfix - Gate MFA expiry dialog on vault capability: #13827
- Bugfix - Logo not rendering in Firefox: #13834
- Bugfix - Fix theme switching issues: #13843
- Bugfix - Pass vault parameter to capabilities endpoint: #13867
- Bugfix - Filter notifications by vault mode: #13877
Details
-
Security - Validate postMessage origin in embed mode modals: #13844
We've fixed a cross-site request forgery (CSRF) vulnerability where the embed
mode modals (Save As, Export As PDF and the file picker) processed incoming
postMessageevents without verifying the sender's origin. A malicious page
holding a reference to an authenticated ownCloud window could forge
owncloud-embed:select,owncloud-embed:file-pickorowncloud-embed:cancel
messages and trigger authenticated file writes in the victim's space. Incoming
messages are now validated against an allowlist consisting of the application's
own origin and the optionally configuredembed.messagesOrigin. -
Bugfix - Add explicit size to space header image: #13822
The space header image did not have explicit width and height causing the image
to overflow its container. Adding explicit width and height with values of 100%
makes sure that the image stays within the boundaries of the container. -
Bugfix - Apply vault theme after OIDC callback: #13826
When opening the vault for the first time, the user is redirected to an external
IdP for 2FA. Upon returning, the OIDC callback URL contains no vault context,
causing the regular theme to be applied instead of the vault theme. We now also
check the stored post-login redirect URL during the OIDC callback to correctly
detect vault mode. -
Bugfix - Gate MFA expiry dialog on vault capability: #13827
We've fixed the MFA session expiry warning to only appear when the vault
capability is enabled. Previously, the expiry worker and broadcast channel were
initialized unconditionally, causing the dialog to fire even when vault mode was
off. They are now lazily created only when vault is enabled and a session
duration is configured. -
Bugfix - Logo not rendering in Firefox: #13834
The topbar logo was not visible in Firefox because the SVG files lacked explicit
widthandheightattributes. Firefox requires these attributes to establish
intrinsic dimensions when loading SVGs via<img>; without them it renders the
image as 0×0. Chrome infers the dimensions fromviewBoxalone. -
Bugfix - Fix theme switching issues: #13843
When switching between themes, colors could get stuck or become unreadable until
a page refresh. Empty string values in theme tokens were overriding stylesheet
defaults with nothing, making elements invisible. Additionally, tokens from the
previous theme were not cleared before applying the new theme, causing stale
values to persist. We now remove previous theme properties before applying the
new theme and treat empty token values as unset. We also fixed the cancel button
in the password protected folder modal being invisible because its color matched
the dark action bar background. -
Bugfix - Pass vault parameter to capabilities endpoint: #13867
We've fixed the capabilities request to include the
vault=truequery parameter
when the application is in vault mode. This ensures the backend returns
vault-specific capabilities. The OCS client is now reinitialized with the
correct base URL when vault mode is detected, following the same pattern as the
graph client. -
Bugfix - Filter notifications by vault mode: #13877
We've fixed the notifications panel to only show notifications relevant to the
current mode. Previously, all notifications were shown regardless of whether the
user was in vault or drive mode. Notifications are now filtered so that vault
notifications appear only in vault mode and drive notifications appear only in
drive mode.
12.4.0
mzner
Matteo
Changelog for ownCloud Web 12.4.0 (2026-05-22)
Summary
- Bugfix - Prevent duplicate call for password protected public links: #13363
- Bugfix - Use dynamic viewport units (dvh/dvw) instead of viewport units (vh/vw): #13578
- Bugfix - Cannot-edit-public-link-when-name-is-too-long: #13610
- Bugfix - Fix space key selecting wrong resource: #13634
- Bugfix - Fix share invite button being pushed down in space sharing: #13793
- Bugfix - Fix upload confirmation not visible on file drop page: #13799
- Enhancement - Strip WebDAV prefix: #13545
- Enhancement - Use spaceId: #13577
- Enhancement - Add theme mode: #13631
- Enhancement - Support log and conf files in text editor: #13632
- Enhancement - Show correct modal for saveAs and open actions: #13759
- Enhancement - Add vault search separation: #13769
- Enhancement - Add new theme colors: #13795
- Enhancement - Check vault permission: #13802
- Enhancement - MFA session expiry warning: #13803
- Enhancement - Vault-aware breadcrumbs: #13803
Details
-
Bugfix - Prevent duplicate call for password protected public links: #13363
We've fixed an issue where the password protected public link was being called
twice. -
Bugfix - Use dynamic viewport units (dvh/dvw) instead of viewport units (vh/vw): #13578
We have updated the CSS to use dynamic viewport units (dvh/dvw) instead of
viewport units (vh/vw) for better responsiveness on mobile devices, especially
when the virtual keyboard appears. -
Bugfix - Cannot-edit-public-link-when-name-is-too-long: #13610
We've fixed an issue where users were unable to edit a public link if the name
of the link was too long. -
Bugfix - Fix space key selecting wrong resource: #13634
We have fixed a bug where pressing the space key in the file list or the space
list would select the wrong resource. This issue was caused by a mismatch
between the index of the selected item and the index of the item in the file
list. -
Bugfix - Fix share invite button being pushed down in space sharing: #13793
We have fixed a bug where the "Share" button in the invite collaborator form was
being pushed down when sharing a space. The layout now properly aligns items
vertically and prevents the button from wrapping to a new line. -
Bugfix - Fix upload confirmation not visible on file drop page: #13799
We've fixed a responsive layout issue where the upload confirmation message was
not visible at small browser window sizes on the file drop page. The
UploadInfopanel was being clipped due to broken CSS. The layout now uses
natural document flow so the confirmation is always visible regardless of
viewport size. -
Enhancement - Strip WebDAV prefix: #13545
Added a new logic to the WebDAV client to strip the prefix from the path if it
is present. Previously, only/dav/prefix would be stripped when parsing the
response. Now, it will strip all the parts of the base remote URL. For example,
if the base remote URL ishttps://example.com/my/nested/path/, it will strip
the/my/nested/path/dav/prefix. -
Enhancement - Use spaceId: #13577
We now use the
spaceIdwhen matching the space for a resource instead of
manually constructedstorageIdfrom the resource ID. -
Enhancement - Add theme mode: #13631
We've added a new property to the theme called
mode. This property specifies
whether the theme is suitable for regular mode or vault mode. Valid values are
regularandvault. -
Enhancement - Support log and conf files in text editor: #13632
We've added support for
.logand.conffiles in the text editor. -
Enhancement - Show correct modal for saveAs and open actions: #13759
We've added logic to show the correct modal when the user clicks on "Save As" or
"Open" from the 3 dots context menu. -
Enhancement - Add vault search separation: #13769
We've implemented vault search separation by adding the
vault:truequery token
to the<oc:pattern>search payload. The token is now included in both "All
files" and "Current folder" search requests, ensuring vault content is correctly
scoped in all search scenarios. -
Enhancement - Add new theme colors: #13795
We've added new theme colors. These new colors are:
- background-sidebar - search-input-text-default - search-input-text-muted -
search-input-border - search-input-bg
- background-sidebar - search-input-text-default - search-input-text-muted -
-
Enhancement - Check vault permission: #13802
When the user has the
VaultMode.ReadWriteEnabled.ownpermission, the mode
switch will be shown in the topbar. -
Enhancement - MFA session expiry warning: #13803
We've added a warning modal that notifies users before their multi-factor
authentication session expires. Users can extend the session via silent OIDC
renewal or dismiss the warning. The modal state is synchronized across multiple
browser tabs using a BroadcastChannel. -
Enhancement - Vault-aware breadcrumbs: #13803
We've introduced vault-aware breadcrumbs that show Vault or Drive as the root
item depending on the active scope. Users without vault access see the original
labels instead.
12.3.3
Changelog for ownCloud Web 12.3.3 (2026-04-27)
Summary
- Bugfix - Share button not usable when role dropdown text is too long: #13638
- Bugfix - Shared with does not show members: #13667
- Bugfix - Escape strings when returned from server: #13680
Details
-
Bugfix - Share button not usable when role dropdown text is too long: #13638
We've fixed an issue where the share button was not usable when the text in the
role dropdown was too long. -
Bugfix - Shared with does not show members: #13667
We've fixed an issue where the list of external users in the "Shared with"
section was not displayed. -
Bugfix - Escape strings when returned from server: #13680
We've fixed an issue where strings returned from the server were not escaped
12.3.2
Changelog for ownCloud Web 12.3.2 (2026-02-27)
Summary
- Enhancement - Use signature auth: #11963
Details
-
Enhancement - Use signature auth: #11963
When requesting resources from public links, we now request also
oc:signature-authproperty. This property is then used to sign the archiver
download URL within password protected public links.
12.3.1
mzner
Matteo
Changelog for ownCloud Web 12.3.1 (2026-02-05)
Summary
- Bugfix - Search Text Overalps With Search Icon In The Search Bar: #13542
Details
-
Bugfix - Search Text Overalps With Search Icon In The Search Bar: #13542
We have fixed an issue where the search text in the search bar would overlap
with the search icon, making it difficult to read. This improvement enhances the
user experience by ensuring that the search text is clearly visible and does not
interfere with the functionality of the search icon.
12.3.0
mzner
Matteo
Changelog for ownCloud Web 12.3.0 (2026-01-23)
Summary
- Bugfix - Prevent overlapping search content: #13406
- Bugfix - Filter only personal trashed spaces: #13415
- Enhancement - Dynamic theme-color meta tag based on loaded theme: #5847
- Enhancement - Use beta endpoint for single drive operations: #13412
- Enhancement - Add crash page: #13426
- Enhancement - Catch spaces loading error: #13426
- Enhancement - Drop custom share filters: #13485
- Enhancement - Add cross-instance reference: #13499
- Enhancement - Add instance switcher: #13500
Details
-
Bugfix - Prevent overlapping search content: #13406
We've fixed an issue where the search placeholder and value were overlapping the
search scope filter on mobile devices. The placeholder is now hidden on mobile
devices, scope filter is represented by an icon instead of text and a correct
padding is applied to the search input so that the value ends before reaching
the icons. -
Bugfix - Filter only personal trashed spaces: #13415
Instead of filtering all trashed spaces, we now filter only personal trashed
spaces. This fixes the issue where listing spaces with "Include disabled" option
toggled did not show disabled spaces. -
Enhancement - Dynamic theme-color meta tag based on loaded theme: #5847
The theme-color meta tag now dynamically uses the brand color from the currently
loaded theme instead of a hardcoded value. This improves Safari's tab bar
styling to match custom themes and provides a more cohesive branded experience. -
Enhancement - Use beta endpoint for single drive operations: #13412
We've updated the single drive operations to use the v1 beta endpoint. This
allows us to drop custom hardcoded logic for converting drive permissions. -
Enhancement - Add crash page: #13426
We've added a crash page to the application. This page is displayed when the
application encounters an error that it cannot recover from. -
Enhancement - Catch spaces loading error: #13426
In case there is any error during spaces loading, the application will now
display a crash page instead of showing an infinite loading state. -
Enhancement - Drop custom share filters: #13485
In the Shares panel, we have dropped the custom filters applied to the
recipients autocomplete. The filtering is happening already in the backend, so
we don't need to apply any custom filters here. It also makes implementing new
filters faster in the future because they need to be implemented only once in
the backend. If this change breaks any specific use cases, it will be fixed in
the backend. -
Enhancement - Add cross-instance reference: #13499
Added cross-instance reference to the user account page. The cross-instance
reference is a unique identifier for the user across different oCIS instances. -
Enhancement - Add instance switcher: #13500
Added a list of users' instances to the user menu. When multiple instances are
enabled in oCIS, the user can switch between instances by clicking on the
instance in the list. The list displays maximum 3 instances. If there are more
instances, the user can click on a button to open the instances modal. Within
the modal, the user can see all instances and switch between them by clicking on
the instance or a "Switch" button.
12.2.0
Changelog for ownCloud Web 12.2.0 (2025-11-21)
Summary
- Bugfix - Fix copying public link and password on Safari: #13177
- Bugfix - Fix incorrect translations: #13198
- Bugfix - Remove duplicate resource links: #13203
- Bugfix - Do not disable sharing of resources when managing spaces via claims: #13213
- Bugfix - Fix spinner loading continuously when resource is deleted: #13223
- Bugfix - Include Ubuntu font: #13233
- Bugfix - External share ID fallback: #13253
- Bugfix - Handle file loading error: #13274
- Bugfix - Use sticky header composable in deleted files: #13329
- Enhancement - Hide trashed spaces: #13168
- Enhancement - Drop beta badge from GeoGebra pinboards: #13169
- Enhancement - Add Excalidraw file icon: #13172
- Enhancement - Add Visio file icons: #13197
- Enhancement - Add table caption: #13224
- Enhancement - Use API groups search in admin settings: #13235
- Enhancement - Embed mode share links with password: #13296
Details
-
Bugfix - Fix copying public link and password on Safari: #13177
We have fixed an issue where copying the public link and password on Safari was
not working as expected. -
Bugfix - Fix incorrect translations: #13198
We have fixed an issue where translations were always showing in English,
regardless of the user's selected language. -
Bugfix - Remove duplicate resource links: #13203
In the resources table, we had duplicate resource links. This has been fixed by
removing the link from the resource icon. The icon is now treated solely as a
decorative element and is hidden from screen readers. -
Bugfix - Do not disable sharing of resources when managing spaces via claims: #13213
When managing spaces via claims, we were disabling sharing of resources when the
server managed spaces capability was enabled. This was not correct, as we should
only disable sharing of spaces. -
Bugfix - Fix spinner loading continuously when resource is deleted: #13223
We have fixed an issue where the loading spinner would continue to spin
indefinitely when a resource was deleted. -
Bugfix - Include Ubuntu font: #13233
We've included the Ubuntu font in the web container. This fixed the issue where
the Ubuntu font was not being loaded in the PDF export due to CSP restrictions.
The font is distributed under the open licence. -
Bugfix - External share ID fallback: #13253
We now fallback to the original ID if decoding the external share ID fails.
-
Bugfix - Handle file loading error: #13274
Skip loading file content if getting the file info fails. This prevents an
unexpected error when opening a file. -
Bugfix - Use sticky header composable in deleted files: #13329
The sticky header composable is now used in the deleted files view. This fixes
the issue where the header was always sticky. On smaller screens, this breaks
the layout and overlaps the content. -
Enhancement - Hide trashed spaces: #13168
If the
root.deleted.stateproperty of a space istrashed, the space is not
shown in the UI. This includes also personal spaces. -
Enhancement - Drop beta badge from GeoGebra pinboards: #13169
We've dropped the beta badge from the GeoGebra pinboard icon.
-
Enhancement - Add Excalidraw file icon: #13172
Added a new file icon for Excalidraw files. Any file with the extension
.excalidrawwill now have the Excalidraw logo as file icon. -
Enhancement - Add Visio file icons: #13197
Added a new file icon for Visio files. The icon is used for files with the
extension.vsd,.vsdm,.vsdx,.vss,.vssm,.vssx,.vst,.vstm,
.vstx. The icon is afileicon from Font Awesome adjusted by subtracting the
project-diagramicon from it.#13197
https://fontawesome.com/v5/icons/file?f=classic&s=solid
https://fontawesome.com/v5/icons/project-diagram?f=classic&s=solid -
Enhancement - Add table caption: #13224
We added a caption to the
OcTablecomponent. It's content can be set via a
newly introducedcaptionprop. The visibility of the caption can also be
toggled via newcaptionVisibleprop. By default, it is visible only to screen
readers. If theOcTableincludes any sortable columns, the caption will
automatically include screen reader only explanation of sorting capabilities.
This makes sure that screen readers are not overriding column headers with
actions viaaria-labeland that it does not repeat the same action multiple
times. All of this behavior is directly inspired by the ARIA Authoring Practices
Guide (APG).#13224
https://www.w3.org/WAI/ARIA/apg/patterns/table/examples/sortable-table/ -
Enhancement - Use API groups search in admin settings: #13235
We have changed the search behaviour in the admin settings. Instead of filtering
the groups in the client, we now use the search parameter of the list groups API
endpoint. -
Enhancement - Embed mode share links with password: #13296
In embed mode, the "Copy link and password" button text has been changed to
"Share link(s) and password(s)". When sharing links in embed mode, a new event
owncloud-embed:share-linksis now emitted that contains an array of objects
with the link URL and optionally the password (when the "Share link(s) and
password(s)" button is clicked). This allows parent applications to handle both
the link and password programmatically.DEPRECATION NOTICE: This deprecates the
owncloud-embed:shareevent. The
existing event continues to be emitted for backward compatibility.
12.1.2
Changelog for ownCloud Web 12.1.2 (2025-11-24)
Summary
- Bugfix - Do not disable sharing of resources when managing spaces via claims: #13213
Details
12.1.1
This release contains only updated translations.
12.1.0
Changelog for ownCloud Web 12.1.0 (2025-10-02)
Summary
- Bugfix - Reset selection only when path changes: #12768
- Bugfix - Handle direct admin settings access: #12780
- Bugfix - Add clipboard permissions: #12954
- Bugfix - Set md-editor code block header to have z-index of 0: #13075
- Bugfix - Make progress bar settings reactive: #13126
- Bugfix - Handle HTML upload error: #13127
- Bugfix - Disallow U+202E character in folder name: #13136
- Bugfix - Use correct color for universal icon: #13142
- Enhancement - Add markdown to PDF export: #12788
- Enhancement - Use switch for full text search filter: #12915
- Enhancement - Add MFA capability: #12925
- Enhancement - Add universal access: #12933
- Enhancement - Add GeoGebra pinboard icon: #12973
- Enhancement - Replace board icon: #12974
- Enhancement - Add OcResponsiveImage component: #13093
- Enhancement - Add topbar mobile logo theme option: #13093
- Enhancement - Add mobile to query param: #13110
- Enhancement - Use OCS v2 API: #13111
- Enhancement - Drop
remote.phpfrom WebDAV paths: #13113 - Enhancement - Display custom attributes in share autocomplete: #13144
Details
-
Bugfix - Reset selection only when path changes: #12768
We've changed the way we reset the selection when the route changes.
Previously, we were resetting the selection when the route changed, but this was
not working as expected. For example, when updatingscrollToroute query, the
selection was being unintentionally reset.Now, we're only resetting the selection when the path changes.
-
Bugfix - Handle direct admin settings access: #12780
Opening the admin settings directly by pasting the URL in the browser address
bar or opening the app in a new tab now works correctly. The redirect was not
correctly using the navigation guard leading to a mismatch in users permissions.
We now redirect to the first available route and leave the route itself to
handle the permissions navigation guard. -
Bugfix - Add clipboard permissions: #12954
We've added clipboard permissions to the iframe in external apps to allow the
external editor to read and write to the clipboard. -
Bugfix - Set md-editor code block header to have z-index of 0: #13075
We have fixed an issue where the code block header in the markdown editor was
cutting off other elements on the page. This has been resolved by setting the
z-index of the code block header to 0. -
Bugfix - Make progress bar settings reactive: #13126
We had a bug where the progress bar settings were not reactive. This caused
labels to not be updated when the language changed. Adding reactivity to the
progress bar settings fixes this issue. -
Bugfix - Handle HTML upload error: #13127
We had a bug where the upload error was not handled correctly when the server
returned an HTML error. This caused the upload to fail and the user to not be
able to see details about the upload. -
Bugfix - Disallow U+202E character in folder name: #13136
We have fixed an issue where the U+202E (Right-to-Left Override) character could
be used in folder names, which could lead to confusion and potential security
risks. This character is now disallowed in folder names to ensure clarity and
prevent misuse. -
Bugfix - Use correct color for universal icon: #13142
We've fixed the universal icon color to ensure it matches the chosen theme.
-
Enhancement - Add markdown to PDF export: #12788
Added a new file action which allows exporting a markdown files as a PDF. Users
can export the markdown file as a PDF by clicking on the new action in the
context menu inside the markdown editor. Users are able to choose a location and
a name for the exported PDF file. The export is done in the background and the
user is notified when it is ready. -
Enhancement - Use switch for full text search filter: #12915
We've replaced the "Title only" search filter pill with a toggle between "Title
Only" and "Full Text Search". This change should improve the user experience as
it's easier to understand the toggle. -
Enhancement - Add MFA capability: #12925
We've added a capability to check if MFA is enabled. If the capability is
enabled, we will require MFA when accessing the admin settings page. -
Enhancement - Add universal access: #12933
We've added a new dropdown menu to the top bar and a new link to the user menu
that allows users to access the accessibility options. This change is necessary
for accessibility compliance. Both dropdown menu and user menu link are only
shown if the theme provides the necessary URLs.To set the URLs, you need to add the following to your theme:
{ "common": { "urls": { "universalAccessEasyLanguage": "<url>", "universalAccessSignLanguage": "<url>", "accessibilityStatement": "<url>" } }, "clients": { "web": { "defaults": { "icons": { "universalAccess": "<url>", "universalAccessEasyLanguage": "<url>", "universalAccessSignLanguage": "<url>" } } } } } -
Enhancement - Add GeoGebra pinboard icon: #12973
We've added a new icon for GeoGebra pinboards.
-
Enhancement - Replace board icon: #12974
We've replaced the GeoGebra board icon with a new one. The new icon no longer
includes the "beta" badge. -
Enhancement - Add OcResponsiveImage component: #13093
We've added a new component to display an image which will change its source
based on the viewport width. -
Enhancement - Add topbar mobile logo theme option: #13093
We've added a new theme option called
logo.topbarSmto set a different logo
for the topbar on mobile devices. -
Enhancement - Add mobile to query param: #13110
In order to enable ONLYOFFICE Mobile Web View, we have added the
mobilequery
parameter to the document editor URL. This allows users to access a
mobile-optimized version of the document editor when accessing it from mobile
devices. -
Enhancement - Use OCS v2 API: #13111
We have updated the OCS API to version 2. This is not a breaking change because
oCIS uses one implementation for both versions. -
Enhancement - Drop
remote.phpfrom WebDAV paths: #13113We have dropped the
remote.phpprefix from WebDAV paths. This is not a
breaking change because oCIS strips this string from the path and it had been
done in the past only to support ownCloud 10. -
Enhancement - Display custom attributes in share autocomplete: #13144
When sharing a resource, we're now displaying custom attributes in the
autocomplete. Previously, we were only displaying the user's email address. What
attributes are displayed depends on the server configuration.