Nextcloud Server Contacts Search allowed users to retrieve contact information of other users beyond their contact list
CVE-2025-66510

4.5MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
5 December 2025

What is CVE-2025-66510?

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

Affected Version(s)

security-advisories >= 32.0.0beta1, < 32.0.1 < 32.0.0beta1, 32.0.1

security-advisories < 31.0.10 < 31.0.10

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/55657
x_refsource_MISC
https://github.com/nextcloud/server/commit/e4866860cbf24a...
x_refsource_MISC

CVSS V3.1

Score:
4.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66510 : Data Exposure Vulnerability in Nextcloud Server by Nextcloud