Information Disclosure in Nextcloud Tables by Authenticated Users
CVE-2025-66553

4.3MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
5 December 2025

What is CVE-2025-66553?

The Nextcloud Tables app allows users to create and manage custom tables with individual columns. However, prior to versions 0.8.7 and 0.9.4, there existed a flaw where authenticated users could exploit the application by manipulating numeric IDs in requests. This resulted in unauthorized access to metadata of columns in separate tables, leading to potential exposure of sensitive information. To mitigate this risk, users are encouraged to upgrade to the latest versions where this vulnerability has been addressed.

Affected Version(s)

security-advisories >= 0.9.0-beta.1, < 0.9.4 < 0.9.0-beta.1, 0.9.4

security-advisories < 0.8.7 < 0.8.7

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/tables/pull/1891
x_refsource_MISC
https://github.com/nextcloud/tables/commit/e975f5bfedb692...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66553 : Information Disclosure in Nextcloud Tables by Authenticated Users