CVE-2025-66513 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Nextcloud Tables, a component that allows users to create custom tables with individual columns. The flaw exists in versions prior to 0.8.9, 0.9.6, and 1.0.1, where the mechanism controlling access to metadata about table sharing—specifically which numeric table IDs are shared with which groups or users and their associated permissions—was insufficiently restricted. This means that non-privileged users could query or infer sharing information that should have been limited to privileged users only. The vulnerability arises because the key controlling access is user-controlled and not properly validated or authorized by the system, allowing unauthorized disclosure of sharing configurations. The CVSS 3.1 score is 4.3 (medium), reflecting that the attack vector is network-based, requires no privileges but does require user interaction, and impacts confidentiality only, without affecting integrity or availability. The vulnerability does not require authentication but does require user interaction, such as accessing a crafted link or interface. No known exploits have been reported in the wild as of the publication date. The issue was addressed by Nextcloud in versions 0.8.9, 0.9.6, and 1.0.1 by enforcing proper access control checks on the sharing metadata keys, ensuring only authorized users can retrieve sharing information. This vulnerability could allow attackers to gather sensitive information about data sharing relationships within an organization, potentially aiding further targeted attacks or social engineering.

For European organizations, this vulnerability primarily threatens confidentiality by exposing sensitive metadata about data sharing within Nextcloud Tables. Attackers could identify which tables are shared with which users or groups, revealing organizational structure, collaboration patterns, or sensitive project information. This could facilitate targeted phishing, social engineering, or reconnaissance for more severe attacks. Although the vulnerability does not directly compromise data integrity or availability, the leakage of sharing information can undermine trust and compliance with data protection regulations such as GDPR, especially if the shared data is sensitive or regulated. Organizations relying on Nextcloud for internal collaboration and document management are at risk of unauthorized disclosure of sharing relationships, which could have reputational and operational consequences. The medium severity rating indicates moderate risk, but the ease of exploitation without privileges means organizations should prioritize patching. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

European organizations using Nextcloud Tables should immediately verify their version and upgrade to at least 0.8.9, 0.9.6, or 1.0.1, depending on their current version branch, to apply the official fix. Beyond patching, organizations should audit sharing permissions and metadata exposure within Nextcloud to ensure no excessive or unintended sharing exists. Implement strict access control policies and monitor user activities related to table sharing metadata access. Employ network segmentation and restrict external access to Nextcloud instances to reduce exposure. Use multi-factor authentication and strong user authentication mechanisms to limit unauthorized access. Regularly review Nextcloud security advisories and subscribe to vendor notifications for timely updates. Consider deploying Web Application Firewalls (WAFs) with rules to detect anomalous requests targeting sharing metadata endpoints. Finally, conduct user awareness training to reduce the risk of social engineering that could leverage leaked sharing information.