CVE-2025-64011 identifies a security vulnerability in Nextcloud Server version 30.0.0, specifically an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. This endpoint is designed to generate file previews for authenticated users. However, due to insufficient authorization checks on the fileId parameter, any authenticated user can manipulate this parameter to retrieve previews of files owned by other users, even if those files have not been explicitly shared with them. This flaw allows unauthorized disclosure of potentially sensitive information, including text documents and images, which could contain confidential or personal data. The vulnerability does not require elevated privileges beyond authentication, nor does it require additional user interaction beyond crafting the request. Although no public exploits have been reported yet, the vulnerability poses a significant risk because it undermines the confidentiality of stored data within Nextcloud environments. Nextcloud is widely used in enterprise and public sector organizations for secure file sharing and collaboration, making this vulnerability particularly concerning. The absence of a CVSS score means severity must be inferred from the nature of the vulnerability, its impact on confidentiality, and the ease of exploitation. The vulnerability affects the confidentiality of data but not integrity or availability. Since authentication is required, the attack surface is limited to legitimate users, but insider threats or compromised accounts could exploit this flaw. The scope includes all installations running the vulnerable version of Nextcloud Server. No patches or mitigations are currently linked, indicating the need for immediate attention from administrators.

For European organizations, this vulnerability poses a significant risk to data confidentiality, especially for entities handling sensitive or regulated information such as personal data under GDPR. Unauthorized access to file previews can lead to data leakage, reputational damage, and potential regulatory penalties. Organizations relying on Nextcloud for internal or external collaboration may face exposure of confidential documents, intellectual property, or personal data. The breach of confidentiality could facilitate further attacks, such as social engineering or targeted phishing, by revealing sensitive content. Since the vulnerability requires authentication, the risk is heightened in environments with weak access controls or where user credentials may be compromised. Public sector institutions, healthcare providers, financial organizations, and enterprises with strict data privacy requirements are particularly vulnerable. The impact is amplified in countries with stringent data protection laws, where unauthorized disclosure can lead to legal consequences and fines. Additionally, the lack of a patch at the time of disclosure means organizations must rely on interim controls, increasing operational complexity and risk.

Immediate mitigation steps include restricting access to the Nextcloud /core/preview endpoint through network segmentation or web application firewall (WAF) rules to limit exposure. Administrators should enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of compromised accounts being used to exploit this vulnerability. Monitoring and logging access to file previews should be enhanced to detect anomalous access patterns indicative of exploitation attempts. User permissions and sharing settings should be reviewed and tightened to minimize unnecessary access rights. Until an official patch is released, consider disabling the preview functionality if feasible or applying custom access control checks at the application or proxy level. Organizations should stay informed about updates from Nextcloud and apply security patches promptly once available. Conducting internal audits to identify sensitive files accessible via preview and educating users about the risk of credential compromise can further reduce exposure. Finally, integrating this vulnerability into incident response plans will prepare organizations to respond quickly if exploitation is detected.