CVE-2025-66510
📋 TL;DR
This vulnerability in Nextcloud Server allows authenticated users to retrieve personal data (emails, names, identifiers) of other users through the contacts search feature without proper access controls. It affects Nextcloud Server and Nextcloud Enterprise Server across multiple versions, enabling information disclosure of unrelated user accounts.
💻 Affected Systems
- Nextcloud Server
- Nextcloud Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could systematically harvest personal information of all users in the system, potentially enabling social engineering, targeted phishing, or identity theft attacks.
Likely Case
Authenticated users inadvertently or intentionally accessing contact information of users they shouldn't have access to, violating privacy expectations and potentially exposing sensitive personal data.
If Mitigated
Limited to authenticated users only, with no ability to modify or delete data, and exposure limited to contact information rather than passwords or system files.
🎯 Exploit Status
Exploitation requires authenticated access to Nextcloud. The vulnerability is in the contacts search functionality and can be triggered through normal API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nextcloud Server 31.0.10, 32.0.1; Nextcloud Enterprise Server 28.0.14.11, 29.0.16.8, 30.0.17.3, 31.0.10
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59
Restart Required: No
Instructions:
1. Backup your Nextcloud installation and database. 2. Update to the patched version using your preferred method (web updater, occ command, or manual download). 3. Run occ upgrade if using command line. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Contacts App
linuxTemporarily disable the contacts application to prevent exploitation of the vulnerability
sudo -u www-data php occ app:disable contacts
🧯 If You Can't Patch
- Restrict user access to only trusted individuals and monitor for unusual contacts search activity
- Implement network segmentation to isolate Nextcloud instance and limit potential data exfiltration
🔍 How to Verify
Check if Vulnerable:
Check your Nextcloud version via the admin interface or run: sudo -u www-data php occ statusCheck Version:
sudo -u www-data php occ status | grep 'versionstring'Verify Fix Applied:
Verify version is patched (31.0.10+, 32.0.1+ for Server; 28.0.14.11+, 29.0.16.8+, 30.0.17.3+, 31.0.10+ for Enterprise) and test contacts search functionality with test accounts📡 Detection & Monitoring
Log Indicators:
- Unusual volume of contacts API calls from single users
- Contacts search queries returning many results from unrelated users
Network Indicators:
- High volume of requests to /index.php/apps/contacts/api/v1/contacts endpoint
- Patterns of systematic contacts data retrieval
SIEM Query:
source="nextcloud.log" AND "apps/contacts/api" AND status=200 | stats count by src_user