Nextcloud Server users can modify tags on files that do not belong to them
CVE-2025-66547

4.3MEDIUM

Key Information:

Vendor: Nextcloud
Status: Security-advisories
Vendor: CVE Published:; 5 December 2025

What is CVE-2025-66547?

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.

Affected Version(s)

security-advisories < 31.0.1

References

https://github.com/nextcloud/security-advisories/security...

x_refsource_CONFIRM

https://github.com/nextcloud/server/issues/51247

x_refsource_MISC

https://github.com/nextcloud/server/pull/51288

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Dec 4, 2025

JSON