CVE-2025-66510
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66510
EUVD
EUVD-2025-201451
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 28.0.0 (inc) to 28.0.14.11 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.16.8 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17.3 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.10 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.10 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Server and Nextcloud Enterprise Server allows an authenticated user to search contacts and retrieve personal data of other users, such as emails, names, and identifiers, without proper access control. This means users can access information about accounts that are not related or added as contacts, exposing personal data improperly.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of personal information of users within the Nextcloud system. An attacker with valid credentials could access sensitive data of other users, potentially leading to privacy breaches, targeted attacks, or misuse of personal information.

Mitigation Strategies

To mitigate this vulnerability, update Nextcloud Server to version 31.0.10 or later, or Nextcloud Enterprise Server to versions 28.0.14.11, 29.0.16.8, 30.0.17.3, 31.0.10 or later. These versions contain fixes that properly enforce access control on contacts search functionality to prevent unauthorized retrieval of personal data.

Compliance Impact

The vulnerability allows unauthorized access to personal data such as emails, names, and identifiers of users who are not contacts, which constitutes exposure of private personal information. This unauthorized disclosure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal information. Therefore, the vulnerability negatively impacts compliance by enabling unauthorized data exposure. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66510. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart