CVE-2025-66547 is an authorization bypass vulnerability identified in Nextcloud Server and Enterprise Server versions prior to 31.0.1. Nextcloud is a widely used self-hosted personal cloud platform that enables file storage, sharing, and collaboration. The vulnerability arises from improper authorization checks when handling bulk tagging operations on files. Specifically, non-privileged users can exploit this flaw to modify tags on files they should not have access to, effectively bypassing intended access controls. This is categorized under CWE-639, which relates to authorization bypass through user-controlled keys or parameters. The vulnerability does not allow direct access to file contents or deletion but compromises the integrity of file metadata, which can be leveraged for privilege escalation or to mislead users and administrators about file states. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, and no user interaction, but only impacts integrity without affecting confidentiality or availability. There are no known exploits in the wild at the time of publication. The issue was reserved on 2025-12-04 and published on 2025-12-05. The fix is included in Nextcloud Server version 31.0.1, which enforces proper authorization checks during bulk tagging operations to prevent unauthorized metadata modifications.

For European organizations using Nextcloud Server versions prior to 31.0.1, this vulnerability poses a risk to the integrity of file metadata. Unauthorized modification of file tags can lead to misclassification of sensitive documents, potentially causing compliance issues with data governance regulations such as GDPR. Attackers could manipulate tags to hide malicious files or mislead users, facilitating social engineering or lateral movement within networks. Although confidentiality and availability are not directly impacted, the integrity compromise can indirectly enable further attacks or data mishandling. Organizations relying on Nextcloud for collaboration and document management may face operational disruptions or reputational damage if attackers exploit this flaw to manipulate file metadata. The risk is heightened in environments with multiple users and complex access controls, common in European enterprises and public sector institutions.

European organizations should immediately upgrade all Nextcloud Server and Enterprise Server instances to version 31.0.1 or later to apply the official patch. Until patching is complete, restrict bulk tagging functionality to trusted users only and monitor tagging activity logs for unusual patterns. Implement strict role-based access controls (RBAC) to limit the privileges of non-administrative users. Conduct regular audits of file metadata and tagging to detect unauthorized changes. Employ network segmentation to isolate Nextcloud servers and reduce exposure to untrusted networks. Additionally, integrate Nextcloud logs with centralized SIEM solutions to enable real-time alerting on suspicious bulk tagging operations. Educate users about the risks of metadata manipulation and encourage reporting of anomalies. Finally, maintain an up-to-date inventory of Nextcloud deployments and versions to ensure timely vulnerability management.