Nextcloud Desktop discloses information when attempting to lock a file inside a end-to-end encrypted directory
CVE-2025-66549

2.4LOW

Key Information:

Vendor: Nextcloud
Status: Security-advisories
Vendor: CVE Published:; 5 December 2025

🔔 Create Nextcloud Vulnerability Alert

What is CVE-2025-66549?

Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.

Affected Version(s)

security-advisories < 3.16.5

References

https://github.com/nextcloud/security-advisories/security...

x_refsource_CONFIRM

https://github.com/nextcloud/desktop/pull/8330

x_refsource_MISC

https://github.com/nextcloud/desktop/commit/36d6c234d42b0...

x_refsource_MISC

CVSS V3.1

Score:

2.4

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Dec 4, 2025

.

CVE-2025-66549 : File Path Exposure in Nextcloud Desktop Sync Client