CVE-2025-66510 is a vulnerability identified in Nextcloud Server, a popular self-hosted cloud storage and collaboration platform. The flaw exists in versions prior to 31.0.10 and 32.0.1 for the community and enterprise editions, respectively. The issue arises from improper access control in the contacts search functionality, which allows an authenticated user to query and retrieve personal information of other users beyond their contact list. Specifically, the exposed data includes email addresses, full names, and unique user identifiers. This exposure violates the principle of least privilege and can lead to unauthorized disclosure of private personal information. The vulnerability is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). The CVSS v3.1 score is 4.5 (medium), reflecting that the attack vector is network-based, requires low attack complexity, but demands high privileges (authenticated user) and user interaction (search query). The impact is limited to confidentiality, with no effect on integrity or availability. No public exploits have been reported, but the vulnerability could be leveraged for targeted information gathering or social engineering attacks. The flaw affects a broad range of Nextcloud versions, including several enterprise releases, indicating that many organizations may be vulnerable if not updated. The absence of patch links suggests that fixes are available in the specified versions but should be verified and applied promptly.

For European organizations, the unauthorized exposure of personal data through this vulnerability poses significant privacy and compliance risks. Nextcloud is widely adopted in Europe due to its self-hosted nature, which aligns with GDPR requirements for data control and sovereignty. The leakage of emails, names, and identifiers can facilitate phishing, spear-phishing, and social engineering attacks, potentially leading to broader security incidents. Additionally, such data exposure may result in violations of GDPR and other data protection regulations, leading to legal penalties and reputational damage. Since the vulnerability requires authentication, insider threats or compromised accounts could exploit it. The impact is primarily on confidentiality, with no direct disruption to service availability or data integrity. However, the privacy breach alone is critical in regulated environments. Organizations using affected Nextcloud versions must consider the risk of unauthorized data disclosure and its implications for user trust and regulatory compliance.

Organizations should immediately verify their Nextcloud Server or Enterprise Server versions and upgrade to at least 31.0.10 or 32.0.1, or the corresponding patched enterprise versions (28.0.14.11, 29.0.16.8, 30.0.17.3, 31.0.10). If immediate upgrading is not feasible, restrict access to the contacts search functionality to trusted users only and monitor logs for unusual search activity. Implement strict authentication and authorization controls, including multi-factor authentication (MFA) to reduce the risk of compromised accounts. Conduct regular audits of user permissions and review contact lists to minimize exposure. Additionally, educate users about phishing risks that could arise from leaked contact information. Network segmentation and limiting Nextcloud access to internal or VPN-only connections can reduce exposure. Finally, maintain up-to-date backups and incident response plans to quickly address any data breach resulting from exploitation.