CVE-2025-58051 is a vulnerability affecting the Nextcloud Tables application, specifically versions prior to 0.7.6, 0.8.8, and 0.9.5. Nextcloud Tables enables users to create custom tables with individual columns and supports importing table data. The vulnerability arises because the import functionality improperly enforces behavioral workflow constraints, allowing an authenticated user with limited privileges to specify arbitrary file paths on the server during the import process. If the specified files are in formats supported by the PhpSpreadsheet library, the application processes and includes their content in the imported table data, effectively leaking the contents of arbitrary server files to the attacker. This is classified under CWE-841, indicating improper enforcement of behavioral workflow, which in this case means the application fails to restrict file import sources appropriately. The CVSS 3.1 base score is 6.5 (medium severity), with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality only. The vulnerability does not affect data integrity or availability. No public exploits are known at this time. The recommended mitigation is upgrading Nextcloud Tables to versions 0.7.6, 0.8.8, or 0.9.5 or later, where this issue has been addressed. Organizations using vulnerable versions should audit their deployments and apply patches promptly to prevent unauthorized data disclosure.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive server-side files through the Nextcloud Tables import feature. Since Nextcloud is widely used in Europe for collaboration and file sharing, especially in public sector, education, and enterprises, the exposure of confidential data could lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. The vulnerability requires authenticated access, so insider threats or compromised user accounts could exploit it to leak sensitive information. Although it does not affect system integrity or availability, the confidentiality breach could expose intellectual property, personal data, or configuration files, potentially facilitating further attacks. Organizations relying on Nextcloud Tables for data management should consider this a significant data leakage risk and prioritize remediation to maintain compliance and trust.

1. Upgrade Nextcloud Tables to versions 0.7.6, 0.8.8, or 0.9.5 or later immediately to apply the fix for this vulnerability. 2. Restrict user permissions to minimize the number of users who can import tables, especially limiting access to trusted users only. 3. Implement strict monitoring and logging of import activities within Nextcloud to detect any unusual file import attempts referencing server files. 4. Conduct regular audits of file permissions and server file accessibility to reduce the risk of sensitive files being accessible through the import process. 5. Employ network segmentation and access controls to limit exposure of Nextcloud servers to only trusted networks and users. 6. Educate users about the risks of importing data from untrusted sources and enforce strong authentication mechanisms to prevent account compromise. 7. Consider additional application-layer controls or custom filters to validate imported file paths if upgrading is delayed.