Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 5, 2025

Nextcloud Server Contacts Search allowed users to retrieve contact information of other users beyond their contact list

CVE-2025-66510

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

Affected products

Nextcloud/Nextcloud Enterprise Serverllm-create
Range: <28.0.14.11, <29.0.16.8, <30.0.17.3, <31.0.10
Nextcloud/Nextcloudllm-fuzzy
Range: <31.0.10, <32.0.1
nextcloud/security-advisoriesv5
Range: >= 32.0.0beta1, < 32.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59mitrex_refsource_CONFIRM
github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57mitrex_refsource_MISC
github.com/nextcloud/server/pull/55657mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000