Nextcloud
Nextcloudcollaboration4 credentials
Instance Secret / Password Salt
nextcloud / config-secret-and-salt
Nextcloud config.php contains instance-specific values including passwordsalt and secret. Nextcloud documents these configuration parameters alongside database and server settings.
Looks like
pattern'(?:passwordsalt|secret)'\s*=>\s*'[^']+'\s*[,;]Location
config/config.phpNextcloud instance configuration containing secret and passwordsalt
deployment vaults, Kubernetes Secrets, and cloud secret managers
committed config.php files, Helm values, and backups
instance backups and container images containing config.php
Notes
These values are not user passwords, but they are instance secret material used by Nextcloud security mechanisms.
Database Credentials
nextcloud / database-credentials
Nextcloud config.php stores database settings such as dbtype, dbhost, dbname, dbuser, and dbpassword. These credentials connect the application to its database.
Looks like
pattern'dbpassword'\s*=>\s*'[^']+'\s*[,;]Location
config/config.phpNextcloud database connection configuration
MYSQL_PASSWORD, POSTGRES_PASSWORD, NEXTCLOUD_DB_PASSWORD, DATABASE_URLDocker/Kubernetes secrets, cloud secret managers, and database password vaults
committed config.php files, Docker Compose files, Helm values, and tests
backups and container images containing config.php
installer logs and database connection troubleshooting output
Notes
Database access can expose files metadata, user records, app passwords, shares, tokens, and application configuration.
User Password / App Password
nextcloud / user-password-app-password
Nextcloud users authenticate to the web UI and can use app passwords for clients. Nextcloud user management documentation covers creating users, resetting passwords, and resetting a lost admin password.
Location
Nextcloud database tables storing user, session, and app-password verifier data
/login, WebDAV, OCS APIsNextcloud login, sync, and API endpoints
client sync config, app integration config, and local credential caches
password managers, CI/CD variables, and cloud secret managers
integration scripts, tests, and accidentally committed client configs
web server logs, sync client logs, and authentication troubleshooting output
Notes
App passwords should be revoked independently from the user's main password if exposed.
External Service / Preview API Secret
nextcloud / external-service-secret
Nextcloud configuration can contain additional service secrets such as preview_imaginary_key and Redis credentials. These protect integrations used by the server.
Location
config/config.phpNextcloud external service credentials and integration keys
REDIS_HOST_PASSWORD, NEXTCLOUD_IMAGINARY_KEYdeployment vaults, Kubernetes Secrets, and cloud secret managers
committed config files and deployment manifests
Notes
External service secrets may grant access to cache, preview, mail, object storage, or directory services connected to Nextcloud.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.