CVE-2025-66510 is a vulnerability identified in Nextcloud Server and Enterprise Server versions prior to 31.0.10 and 32.0.1, respectively. Nextcloud is a widely used self-hosted cloud storage and collaboration platform. The vulnerability stems from a flaw in the contacts search feature, which improperly enforces access controls. Authenticated users can exploit this flaw to retrieve personal information—such as email addresses, full names, and unique identifiers—of other users who are not in their contact lists or otherwise authorized to be visible. This exposure violates user privacy and confidentiality principles. The vulnerability is categorized under CWE-359, which concerns the exposure of private personal information to unauthorized actors. The CVSS v3.1 base score is 4.5 (medium severity), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), but needs high privileges (PR:H) and user interaction (UI:R). The scope remains unchanged (S:U), and the impact is limited to confidentiality (C:H), with no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability presents a significant privacy risk, especially in environments with sensitive or regulated data. The flaw affects multiple Nextcloud versions, including 31.x and 32.x branches, necessitating updates to versions 31.0.10, 32.0.1, or later to remediate the issue.

The primary impact of CVE-2025-66510 is the unauthorized disclosure of private personal information within Nextcloud deployments. For European organizations, this can lead to violations of the EU General Data Protection Regulation (GDPR), resulting in legal penalties, reputational damage, and loss of customer trust. The exposure of emails, names, and identifiers could facilitate targeted phishing attacks, social engineering, or identity theft. Although the vulnerability does not affect data integrity or availability, the confidentiality breach alone is significant, especially for sectors handling sensitive personal or business data such as healthcare, finance, and government. Organizations relying on Nextcloud for internal collaboration or customer data storage are at risk of inadvertent data leaks to unauthorized internal users. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but this does not eliminate risk, as insider threats or credential theft are common attack vectors. The absence of known exploits in the wild provides a window for remediation but should not lead to complacency.

1. Immediate patching: Upgrade Nextcloud Server and Enterprise Server to versions 31.0.10, 32.0.1, or later where the vulnerability is fixed. 2. Access control review: Audit and tighten user permissions and roles within Nextcloud to minimize the number of users with access to contacts search functionality. 3. Monitor authentication logs: Implement enhanced monitoring for unusual authenticated user behavior that could indicate attempts to exploit this vulnerability. 4. User awareness: Educate users about the risks of credential compromise and phishing, as exploitation requires authentication. 5. Network segmentation: Restrict Nextcloud access to trusted networks or VPNs to reduce exposure to unauthorized actors. 6. Data minimization: Limit the amount of personal information stored or displayed in contacts to the minimum necessary. 7. Incident response readiness: Prepare to respond to potential data exposure incidents, including notification procedures compliant with GDPR. 8. Regular vulnerability scanning: Incorporate checks for Nextcloud vulnerabilities in routine security assessments.