Overview
CVE-2025-66556 describes a low-severity vulnerability affecting Nextcloud Talk, a video and audio conferencing application for Nextcloud. This issue allows a participant with chat permissions to delete poll drafts created by other participants within the conversation, exploiting their numeric ID. The vulnerability has been patched in versions 20.1.8 and 21.1.2 of Nextcloud Talk.
Technical Details
The vulnerability stems from insufficient access control when handling poll draft deletion requests within Nextcloud Talk. A user with basic chat privileges could manipulate the request to delete a poll draft by specifying the numeric ID of another participant’s draft. The system incorrectly authorized the deletion, allowing unauthorized modification of data.
CVSS Analysis
- CVSS Score: 3.5
- Severity: LOW
A CVSS score of 3.5 indicates a low severity vulnerability. This score reflects the limited impact and exploitability of the issue. The attacker requires existing chat permissions and can only delete poll drafts, not gain further access or compromise the system.
Possible Impact
The impact of this vulnerability is relatively limited. A malicious user could disrupt a conversation by deleting poll drafts created by others. This could cause frustration and inconvenience, but it does not lead to data breaches, privilege escalation, or denial of service.
Mitigation or Patch Steps
To mitigate this vulnerability, it is highly recommended to upgrade your Nextcloud Talk instance to one of the following versions:
- Version 20.1.8 or later
- Version 21.1.2 or later
These versions contain the necessary patch to address the improper access control issue and prevent unauthorized deletion of poll drafts. Always ensure your Nextcloud instance and its associated apps are up-to-date with the latest security patches.
