CVE-2025-66510
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-10
Generated
2026-05-06
AI Q&A
2025-12-05
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66510
EUVD
EUVD-2025-201451
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 28.0.0 (inc) to 28.0.14.11 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.16.8 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17.3 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.10 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.10 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Nextcloud Server and Nextcloud Enterprise Server allows an authenticated user to search contacts and retrieve personal data of other users, such as emails, names, and identifiers, without proper access control. This means users can access information about accounts that are not related or added as contacts, exposing personal data improperly.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of personal information of users within the Nextcloud system. An attacker with valid credentials could access sensitive data of other users, potentially leading to privacy breaches, targeted attacks, or misuse of personal information.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update Nextcloud Server to version 31.0.10 or later, or Nextcloud Enterprise Server to versions 28.0.14.11, 29.0.16.8, 30.0.17.3, 31.0.10 or later. These versions contain fixes that properly enforce access control on contacts search functionality to prevent unauthorized retrieval of personal data.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthorized access to personal data such as emails, names, and identifiers of users who are not contacts, which constitutes exposure of private personal information. This unauthorized disclosure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal information. Therefore, the vulnerability negatively impacts compliance by enabling unauthorized data exposure. [3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart