CVE-2025-66510 | THREATINT

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

PUBLISHED Reserved 2025-12-03 | Published 2025-12-05 | Updated 2025-12-05 | Assigner GitHub_M

MEDIUM: 4.5CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Product status

>= 32.0.0beta1, < 32.0.1

affected

< 31.0.10

affected

References

github.com/...sories/security/advisories/GHSA-495w-cqv6-wr59

github.com/nextcloud/server/pull/55657

github.com/...ommit/e4866860cbf24a746eb8a125587262a4c8831c57

cve.org (CVE-2025-66510)

nvd.nist.gov (CVE-2025-66510)