CVE-2025-66553
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-09

Assigner: GitHub, Inc.

Description
Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66553
EUVD
EUVD-2025-201430
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nextcloud tables From 0.8.0 (inc) to 0.8.7 (exc)
nextcloud tables From 0.9.0 (inc) to 0.9.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring requests to the Nextcloud Tables app that include numeric ID parameters used to access table column metadata. Specifically, look for authenticated user requests that modify the numeric ID in API calls to fetch column metadata. Since the vulnerability involves authorization bypass through manipulation of these IDs, commands or scripts that log and analyze HTTP requests to the Tables app endpoints for unusual or unauthorized access patterns can help detect exploitation attempts. For example, using network monitoring tools like tcpdump or Wireshark to capture HTTP traffic, or web server logs to identify requests with altered numeric IDs. Additionally, you can use curl commands to test if unauthorized metadata can be accessed by changing the numeric ID parameter in requests while authenticated. However, no specific detection commands are provided in the resources. [1]

Executive Summary

This vulnerability in Nextcloud Tables allowed authenticated users to view metadata of columns in other users' tables by changing the numeric ID in a request. It affected versions prior to 0.8.7 and 0.9.4 and was fixed in those versions.

Impact Analysis

The vulnerability could lead to unauthorized disclosure of metadata information about columns in other users' tables, potentially exposing sensitive structural information about data stored in the Tables app. However, it does not allow modification or deletion of data.

Mitigation Strategies

To mitigate this vulnerability, update the Nextcloud Tables app to version 0.8.7 or 0.9.4 or later, as these versions contain the fix that prevents authenticated users from viewing metadata of columns in other tables by modifying numeric IDs in requests.

Compliance Impact

This vulnerability allows authenticated users to view metadata of columns in other tables by bypassing authorization controls. Although the impact is limited to low confidentiality exposure of metadata (no integrity or availability impact), unauthorized access to metadata could potentially lead to compliance issues under standards like GDPR or HIPAA, which require strict access controls to protect personal or sensitive information. Organizations using affected versions of Nextcloud Tables should upgrade to patched versions to maintain compliance and prevent unauthorized data exposure. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66553. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart