Unrated severityNVD Advisory· Published May 16, 2025· Updated May 16, 2025

Nextcloud Server vulnerable to insecure temporary file creation, race with write access and permission

CVE-2025-47794

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix the issue. No known workarounds are available.

Affected products

Nextcloud/Serverllm-fuzzy
Range: < 29.0.13, 30.0.7, 31.0.1 for Nextcloud Server; < 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, 31.0.1 for Nextcloud Enterprise Server
Nextcloud/Nextcloud Enterprise Serverllm-fuzzy
Range: < 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, 31.0.1
nextcloud/security-advisoriesv5
Range: >= 26.0.0, < 26.0.13.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-q568-2933-gcjqmitrex_refsource_CONFIRM
github.com/nextcloud/server/pull/51194mitrex_refsource_MISC
hackerone.com/reports/1960647mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000