Login Sign Up

CVE-2025-66557

5.4 MEDIUM

📋 TL;DR

This vulnerability in Nextcloud Deck allows users with 'Can share' permission to modify permissions of other recipients, potentially escalating privileges within shared boards. It affects all Nextcloud instances running Deck versions before 1.14.6 or 1.15.2. The issue stems from improper access control in permission logic.

💻 Affected Systems

Products:
  • Nextcloud Deck
Versions: All versions before 1.14.6 and 1.15.2
Operating Systems: All platforms running Nextcloud
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances where Nextcloud Deck is installed and users have 'Can share' permissions on boards.

📦 What is this software?

Deck by Nextcloud

View all CVEs affecting Deck →

Deck by Nextcloud

View all CVEs affecting Deck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated user with share permissions could modify permissions of other users, potentially gaining administrative control over shared boards, manipulating data, or disrupting team workflows.

🟠

Likely Case

Users with share permissions could unintentionally or maliciously alter permissions of other team members, causing confusion, data access issues, or minor workflow disruptions.

🟢

If Mitigated

With proper user access controls and monitoring, impact is limited to minor permission changes that can be quickly detected and reverted.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with 'Can share' permissions. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.14.6 or 1.15.2

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv

Restart Required: No

Instructions:

1. Update Nextcloud Deck to version 1.14.6 (stable) or 1.15.2 (beta). 2. Use Nextcloud's built-in updater or manually update via app management. 3. No server restart required, but clear caches if issues persist.

🔧 Temporary Workarounds

Temporary permission restriction

all

Temporarily remove 'Can share' permissions from users until patching is complete

Use Nextcloud admin interface to modify user permissions on Deck boards

🧯 If You Can't Patch

  • Restrict 'Can share' permissions to trusted administrators only
  • Implement enhanced monitoring of permission changes in Deck activity logs

🔍 How to Verify

Check if Vulnerable:

Check Nextcloud Deck version in Nextcloud admin interface under Apps > Deck

Check Version:

Check via Nextcloud web interface: Settings > Apps > Deck, or check nextcloud/config/config.php for app version

Verify Fix Applied:

Confirm Deck version is 1.14.6 or higher (stable) or 1.15.2 or higher (beta)

📡 Detection & Monitoring

Log Indicators:

  • Unusual permission modification events in Nextcloud Deck logs
  • Multiple permission changes from single user in short timeframe

Network Indicators:

  • POST requests to Deck API endpoints modifying permissions

SIEM Query:

source="nextcloud.log" AND "deck" AND "permission" AND ("modified" OR "changed")

📊 Metadata

CVE ID: CVE-2025-66557
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-284
EPSS Score: 0.01% exploit probability (2.3th percentile)
Published: December 5, 2025
Last Updated: December 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66557, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)