CVE-2025-64011 identifies an Insecure Direct Object Reference (IDOR) vulnerability in Nextcloud Server version 30.0.0, specifically within the /core/preview endpoint. This endpoint is designed to generate previews of files stored on the server. Due to insufficient access control validation, any authenticated user can manipulate the fileId parameter to request previews of arbitrary files owned by other users. This bypasses the intended sharing permissions and allows unauthorized disclosure of sensitive content such as text documents or images. The vulnerability impacts confidentiality but does not affect data integrity or system availability. Exploitation requires the attacker to be authenticated but does not require additional user interaction, making it relatively straightforward for insiders or compromised accounts to exploit. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). Although no public exploits or patches are currently available, the vulnerability poses a risk of internal data leakage in environments where Nextcloud is used for collaboration and file sharing. The CVSS v3.1 score of 4.3 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The scope remains unchanged as the vulnerability affects only the confidentiality of files accessible through the preview endpoint.

For European organizations, this vulnerability presents a risk of unauthorized disclosure of sensitive or confidential files within their Nextcloud environments. Given the widespread use of Nextcloud in Europe, especially among public sector, education, and private enterprises valuing open-source solutions, the potential for internal data leaks is significant. This can lead to violations of GDPR and other data protection regulations, resulting in legal penalties and reputational damage. The confidentiality breach could expose personal data, intellectual property, or strategic documents. Although the vulnerability does not allow modification or deletion of files, the unauthorized access to previews alone can compromise privacy and confidentiality. Organizations with large user bases or sensitive data stored on Nextcloud are particularly vulnerable. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially from insider threats or compromised accounts.

Organizations should immediately audit their Nextcloud 30.0.0 deployments to identify exposure of the /core/preview endpoint. Implement strict access control checks on the fileId parameter to ensure users can only access previews of files they are authorized to view. Employ server-side validation and authorization logic to enforce sharing permissions robustly. Monitor authenticated user activities for unusual access patterns to detect potential exploitation attempts. Limit user privileges to the minimum necessary to reduce risk from compromised accounts. Consider disabling preview generation temporarily if feasible until a vendor patch is released. Stay alert for official patches or updates from Nextcloud and apply them promptly once available. Additionally, conduct user awareness training to reduce insider threat risks and enforce strong authentication mechanisms such as multi-factor authentication to protect user accounts.