Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 8, 2025

Nextcloud Deck app allowed user with "Can share" permission to modify permissions of other non-owners

CVE-2025-66557

Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.

Affected products

Nextcloud/Deckllm-create
Range: <=1.14.5, <=1.15.1
nextcloud/security-advisoriesv5
Range: >= 1.15.0-beta.1, < 1.15.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95aemitrex_refsource_MISC
github.com/nextcloud/deck/pull/7131mitrex_refsource_MISC
github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvvmitrex_refsource_CONFIRM
hackerone.com/reports/3247499mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000