Home

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix the issue. No known workarounds are available.

PUBLISHED Reserved 2025-05-09 | Published 2025-05-16 | Updated 2025-05-16 | Assigner GitHub_M




LOW: 2.6CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Problem types

CWE-284: Improper Access Control

Product status

>= 26.0.0, < 26.0.13.13
affected

>= 27.0.0, < 27.1.11.13
affected

>= 28.0.0, < 28.0.14.4
affected

>= 29.0.0, < 29.0.13
affected

>= 30.0.0, < 30.0.7
affected

>= 31.0.0, < 31.0.1
affected

References

github.com/...sories/security/advisories/GHSA-q568-2933-gcjq

github.com/nextcloud/server/pull/51194

hackerone.com/reports/1960647

cve.org (CVE-2025-47794)

nvd.nist.gov (CVE-2025-47794)

Download JSON