CVE-2025-59716 – This vulnerability in ownCloud Guests allows un... (How to Fix)

Q: What is the severity of CVE-2025-59716?

CVE-2025-59716 has a CVSS score of 5.3 (MEDIUM). This vulnerability in ownCloud Guests allows unauthenticated attackers to enumerate valid pending guest user email addresses. Attackers can determine which email addresses have pending guest invitations by observing different server responses at the /apps/guests/register/{email}/{token} endpoint. This affects all ownCloud instances using the Guests app before version 0.12.5.

📋 TL;DR

This vulnerability in ownCloud Guests allows unauthenticated attackers to enumerate valid pending guest user email addresses. Attackers can determine which email addresses have pending guest invitations by observing different server responses at the /apps/guests/register/{email}/{token} endpoint. This affects all ownCloud instances using the Guests app before version 0.12.5.

💻 Affected Systems

Products:

ownCloud Guests app

Versions: All versions before 0.12.5

Operating Systems: All platforms running ownCloud

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Guests app to be installed and enabled. The vulnerability exists in the token validation logic.

📦 What is this software?

Guests by Owncloud

View all CVEs affecting Guests →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map all pending guest invitations, potentially identifying organizational structure, preparing targeted phishing campaigns, or discovering internal email naming conventions.

🟠

Likely Case

Information disclosure revealing which email addresses have pending guest access, enabling reconnaissance for further attacks.

🟢

If Mitigated

Limited information disclosure with no direct access to sensitive data or systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests to the vulnerable endpoint with different email addresses can reveal valid pending users. The gist reference contains technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.5

Vendor Advisory: https://marketplace.owncloud.com/apps/guests

Restart Required: No

Instructions:

1. Update ownCloud Guests app to version 0.12.5 or later via ownCloud marketplace or manual installation. 2. Verify the update completed successfully. 3. No server restart required.

🔧 Temporary Workarounds

Disable Guests app

linux

Temporarily disable the vulnerable Guests app if immediate patching isn't possible

occ app:disable guests

Web server blocking

all

Block access to the vulnerable endpoint using web server configuration

# For Apache: add 'RewriteRule ^/apps/guests/register/ - [F,L]' to .htaccess
# For nginx: add 'location ~ ^/apps/guests/register/ { return 403; }' to config

🧯 If You Can't Patch

Implement rate limiting on the /apps/guests/register/ endpoint to slow enumeration
Monitor logs for unusual patterns of requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Test by accessing https://[your-owncloud]/apps/guests/register/test@example.com/12345 and observing if different responses occur for valid vs invalid emails

Check Version:

occ app:list | grep guests

Verify Fix Applied:

After updating to 0.12.5+, test the same endpoint - all invalid requests should return consistent error responses

📡 Detection & Monitoring

Log Indicators:

Multiple 200/302 responses to /apps/guests/register/ with different email parameters
Unusual patterns of failed authentication attempts following guest enumeration

Network Indicators:

High volume of requests to /apps/guests/register/ endpoint from single IPs
Sequential email address patterns in URL parameters

SIEM Query:

source="owncloud_access.log" AND uri_path="/apps/guests/register/" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-59716

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.05% exploit probability (15.5th percentile)

Published: November 5, 2025

Last Updated: January 7, 2026

🔗 References

https://gist.github.com/thesmartshadow/64ae0449e909174d0479a4f23657147f Exploit,Third Party Advisory
https://github.com/owncloud/guests Product
https://marketplace.owncloud.com/apps/guests Product
https://yeswehack.com/reports/411806 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59716, you might also want to check these: