CVE-2025-65963 is an improper access control vulnerability (CWE-284, CWE-285) found in the cfiles module of HumHub, a social collaboration platform. The cfiles module manages file operations within spaces and user profiles. In affected versions prior to 0.16.11 and between 0.17.0 and 0.17.2, the module fails to enforce sufficient authorization checks for public spaces, allowing authenticated users who are not members of those spaces to create new folders and upload or download files, including bulk downloads as ZIP archives. This flaw does not affect private spaces, which maintain proper access controls. The vulnerability allows unauthorized modification and disclosure of files in public spaces, impacting confidentiality and integrity. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, and requiring low privileges but no user interaction. No known exploits are currently reported in the wild. The issue was addressed by patches in versions 0.16.11 and 0.17.2, which enforce stricter authorization checks to prevent unauthorized file operations.

For European organizations using HumHub with the vulnerable cfiles module, this vulnerability could lead to unauthorized disclosure and modification of files stored in public collaboration spaces. Confidential information intended to be restricted to space members could be accessed or altered by any authenticated user, potentially leading to data leaks, reputational damage, and compliance violations under regulations such as GDPR. Although private spaces remain secure, many organizations use public spaces for broader collaboration, increasing exposure. The integrity of shared documents can be compromised, affecting business processes and trust among collaborators. Since the vulnerability does not impact availability, denial-of-service risks are minimal. However, the ease of exploitation by any authenticated user and the potential for bulk data exfiltration elevate the risk profile for organizations relying on public spaces within HumHub.

European organizations should immediately upgrade HumHub cfiles to version 0.16.11 or 0.17.2 or later to apply the official patches that fix the authorization checks. Until patched, restrict access to public spaces by limiting authenticated user permissions or disabling file operations in public spaces if possible. Implement monitoring and alerting on unusual file creation, upload, or download activities within public spaces to detect potential exploitation. Conduct audits of public space contents to identify unauthorized changes or data exposure. Educate users about the risks of storing sensitive data in public spaces and encourage use of private spaces for confidential information. Review and tighten access control policies within HumHub to ensure least privilege principles are enforced. Additionally, maintain up-to-date backups of critical files to recover from potential integrity breaches.