We ship Guzzle 5 as part of Nextcloud. This handles http requests and supports HTTP_PROXY environment variable which can be abused, in some special scenario’s, by an attacker to read content. In the worst case, when you use the ajax cron feature, an attacker can potentially see external storage credentials and data. We recommend not to use the ajax cron feature but the system cron if possible, as that also improves performance and reliability.
As a precaution and because security and privacy are paramount for our users, we released a security update. Grab the latest from the install page! Here is documentation on doing a manual upgrade or migrate.
Learn more about httpoxy here.