Data Exposure Vulnerability in Nextcloud Server by Nextcloud
CVE-2025-66510

4.5MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
5 December 2025

What is CVE-2025-66510?

Nextcloud Server and Nextcloud Enterprise Server contain a vulnerability that permits authenticated users to access personal data belonging to other users, such as emails, names, and identifiers. This occurs due to insufficient access control during contact searches, enabling users to retrieve information from accounts that are not directly associated with them. The affected versions include Nextcloud Server prior to 31.0.10 and 32.0.1, as well as Nextcloud Enterprise Server prior to multiple versions. Users are urged to update their installations to secure their data.

Affected Version(s)

security-advisories >= 32.0.0beta1, < 32.0.1 < 32.0.0beta1, 32.0.1

security-advisories < 31.0.10 < 31.0.10

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/55657
x_refsource_MISC
https://github.com/nextcloud/server/commit/e4866860cbf24a...
x_refsource_MISC

CVSS V3.1

Score:
4.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.