CVE-2025-66510

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 31.0.10 Nextcloud Server version 32.0.1 Nextcloud Enterprise Server versions prior to 28.0.14.11 Nextcloud Enterprise Server versions prior to 29.0.16.8 Nextcloud Enterprise Server versions prior to 30.0.17.3 Nextcloud Enterprise Server versions prior to 31.0.10

Description Nextcloud Server and Nextcloud Enterprise Server contain a flaw where the contacts search function does not enforce proper access controls. This allows an authenticated user to access personal data, such as emails, names, and identifiers, belonging to other users without authorization. The affected data pertains to accounts that have not been added as contacts by the user.

Recommendations Update Nextcloud Server to version 31.0.10 or later. Update Nextcloud Server to version 32.0.1 or later. Update Nextcloud Enterprise Server to version 28.0.14.11 or later. Update Nextcloud Enterprise Server to version 29.0.16.8 or later. Update Nextcloud Enterprise Server to version 30.0.17.3 or later. Update Nextcloud Enterprise Server to version 31.0.10 or later.