CVE-2025-66513 is a medium-severity authorization bypass vulnerability affecting Nextcloud Tables, a component that enables users to create custom tables with individual columns. The flaw exists in versions prior to 0.8.9, 0.9.6, and 1.0.1, where the system failed to properly restrict access to metadata about table sharing. Specifically, the numeric IDs of tables shared with specific groups or users, along with the associated permissions, were accessible to unauthorized users due to insufficient access control checks. This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that user-controlled input was used to bypass authorization mechanisms. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) indicates that the attack can be performed remotely over the network with low complexity, requires no privileges, but does require user interaction, and impacts confidentiality only without affecting integrity or availability. The vulnerability was publicly disclosed on December 5, 2025, and fixed in the specified patched versions. No public exploits have been reported to date. The flaw could allow an attacker to gain unauthorized visibility into sharing configurations, potentially exposing sensitive collaboration data or organizational structure details. However, it does not allow modification or deletion of data, nor does it cause service disruption.

For European organizations, this vulnerability poses a risk primarily to confidentiality. Unauthorized disclosure of sharing relationships and permissions could reveal sensitive information about internal collaboration, project structures, or user roles. This could facilitate further targeted attacks such as social engineering or spear phishing. Organizations handling sensitive or regulated data (e.g., financial, healthcare, government) may face compliance risks if unauthorized data exposure occurs. While the vulnerability does not allow data modification or service disruption, the leakage of sharing metadata could undermine trust and confidentiality guarantees. Given Nextcloud's popularity in Europe as an open-source cloud collaboration platform, especially among privacy-conscious organizations, the impact could be significant if exploited. The lack of known exploits reduces immediate risk but should not lead to complacency. Timely patching is essential to prevent potential reconnaissance by attackers aiming to map internal sharing structures.

European organizations using Nextcloud Tables should immediately verify their installed versions and upgrade to 0.8.9, 0.9.6, or 1.0.1 or later where the vulnerability is patched. If immediate upgrading is not feasible, restrict network access to Nextcloud instances to trusted users only and monitor access logs for suspicious activity involving table metadata requests. Implement strict role-based access controls and audit sharing permissions regularly to detect anomalies. Educate users about the risks of phishing and social engineering that could leverage leaked sharing information. Consider deploying web application firewalls (WAFs) with custom rules to detect and block unauthorized attempts to access sharing metadata endpoints. Maintain up-to-date backups and incident response plans to quickly address any exploitation attempts. Engage with Nextcloud community or vendor support for additional security advisories and patches.