Cybersecurity Vulnerabilities

Nextcloud Tables Under Scrutiny: Analyzing CVE-2025-66513 Information Disclosure

December 5, 2025 - By 

Overview

CVE-2025-66513 describes a medium severity information disclosure vulnerability affecting Nextcloud Tables. The vulnerability allows unprivileged users to potentially access information about table sharing configurations, specifically which users or groups have access to which tables and their associated permissions. This information should ideally be restricted to administrative users. Successful exploitation could lead to unauthorized access to sensitive data managed within Nextcloud Tables.

Technical Details

The vulnerability resides in how Nextcloud Tables manages access control information related to table sharing. Prior to versions 0.8.9, 0.9.6, and 1.0.1, the system did not properly restrict access to the numeric IDs of tables and their sharing configurations. This meant that an authenticated user, even without explicit permissions for specific tables, could potentially enumerate and discover which tables are shared with specific groups or users and the assigned permissions. The fix implemented prevents unprivileged users from accessing this information.

The vulnerability was addressed by restricting access to the table sharing configuration data, ensuring that only privileged users have the necessary permissions to view this sensitive information. The exact code changes are available in the linked commit.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-66513 is 4.3, indicating a MEDIUM severity vulnerability.

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)

This score reflects the fact that the vulnerability is remotely exploitable (Network), requires low attack complexity and low privileges, and primarily impacts the confidentiality of the data.

Possible Impact

The exploitation of CVE-2025-66513 could have the following impacts:

  • Information Disclosure: Unauthorized access to table sharing configurations, revealing which users or groups have access to specific tables and their associated permissions.
  • Potential for Lateral Movement: Knowing the sharing configurations might allow an attacker to infer relationships between users and data, potentially enabling them to target specific users or groups for further attacks.
  • Increased Attack Surface: Disclosure of sharing configurations can aid an attacker in identifying potential weaknesses and attack vectors within the Nextcloud environment.

Mitigation or Patch Steps

To mitigate the risk posed by CVE-2025-66513, it is crucial to update Nextcloud Tables to one of the following versions or later:

  • 0.8.9
  • 0.9.6
  • 1.0.1

Follow these steps to update your Nextcloud Tables installation:

  1. Log in to your Nextcloud instance as an administrator.
  2. Navigate to the Apps section.
  3. Search for “Tables”.
  4. If an update is available, click the “Update” button.
  5. Verify the update was successful.

Regularly updating your Nextcloud apps is essential for maintaining a secure environment.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *