Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 8, 2025

Nextcloud Desktop discloses information when attempting to lock a file inside a end-to-end encrypted directory

CVE-2025-66549

Description

Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.

Affected products

Desktop/Desktopllm-fuzzy
Range: <3.16.5
nextcloud/security-advisoriesv5
Range: < 3.16.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6mitrex_refsource_MISC
github.com/nextcloud/desktop/pull/8330mitrex_refsource_MISC
github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hwmitrex_refsource_CONFIRM
hackerone.com/reports/3159877mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000