CVE-2025-66556 | THREATINT

Description

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

PUBLISHED Reserved 2025-12-04 | Published 2025-12-05 | Updated 2025-12-05 | Assigner GitHub_M

LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 20.1.8

affected

>= 21.0.0-beta.1, < 21.1.2

affected

References

github.com/...sories/security/advisories/GHSA-pr9f-vqgg-m2jh

github.com/nextcloud/spreed/pull/15532

github.com/...ommit/bd68e80d1dea98d84c1d621c2c681238cf041725

hackerone.com/reports/3247386

cve.org (CVE-2025-66556)

nvd.nist.gov (CVE-2025-66556)