Permission Logic Flaw in Nextcloud Deck Kanban Tool
CVE-2025-66557

5.4MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
5 December 2025

What is CVE-2025-66557?

A flaw in the permission logic of Nextcloud Deck allows users with share permissions to alter the permission settings of other recipients without proper authorization. This issue primarily affects Nextcloud Deck versions before 1.14.6 and 1.15.2, where such capability could lead to unauthorized changes in user permissions. The vulnerability has been addressed in the specified updates, highlighting the importance of keeping software up to date to mitigate potential security risks.

Affected Version(s)

security-advisories >= 1.15.0-beta.1, < 1.15.2 < 1.15.0-beta.1, 1.15.2

security-advisories < 1.14.6 < 1.14.6

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/deck/pull/7131
x_refsource_MISC
https://github.com/nextcloud/deck/commit/f1da8b30a455f023...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66557 : Permission Logic Flaw in Nextcloud Deck Kanban Tool