CVE-2025-66551 is an authorization bypass vulnerability affecting Nextcloud Tables, a component that allows users to create and manage custom tables with individual columns. The vulnerability exists in versions prior to 0.8.6 and 0.9.3, where a malicious user with limited privileges can exploit insufficient authorization checks related to user-controlled keys (CWE-639). Specifically, the attacker can create their own table and then move a column into a victim's table, effectively manipulating or corrupting data they should not have access to. This bypass of authorization controls compromises data integrity without directly impacting confidentiality or availability. The vulnerability requires network access, low attack complexity, and low privileges but does require user interaction, such as performing table operations. The CVSS 3.1 score of 6.3 reflects a medium severity rating, with the impact primarily on data integrity and a minor impact on availability. No public exploits are known at this time, but the vulnerability is publicly disclosed and patched in versions 0.8.6 and 0.9.3. Organizations using vulnerable versions of Nextcloud Tables should consider this a significant risk due to the potential for unauthorized data manipulation within collaborative environments.

For European organizations, this vulnerability poses a risk to the integrity of data stored and managed within Nextcloud Tables, especially in environments where multiple users collaborate on shared data sets. Unauthorized column movement into victim tables can lead to data corruption, loss of trust in data accuracy, and potential disruption of business processes relying on this data. While confidentiality is not directly impacted, the integrity breach could have downstream effects on decision-making, compliance reporting, and operational reliability. Organizations in sectors such as finance, healthcare, and public administration—where Nextcloud is often deployed for secure collaboration—may face regulatory scrutiny if data integrity is compromised. The medium severity rating suggests that while the vulnerability is not critical, it should be addressed promptly to avoid exploitation that could undermine data governance and compliance with European data protection standards like GDPR. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

1. Immediately upgrade Nextcloud Tables to version 0.8.6 or 0.9.3 or later, where the vulnerability is patched. 2. Audit user permissions and restrict table creation and modification rights to trusted users only, minimizing the attack surface. 3. Implement monitoring and alerting for unusual table modification activities, such as unexpected column movements or table creations by non-administrative users. 4. Conduct regular integrity checks on critical tables to detect unauthorized changes early. 5. Educate users about the risks of interacting with untrusted content or performing unexpected table operations. 6. Apply network segmentation and access controls to limit exposure of Nextcloud instances to only authorized personnel. 7. Review and harden Nextcloud configuration settings related to collaborative features to enforce stricter authorization policies. 8. Stay informed about updates and advisories from Nextcloud and security communities to respond swiftly to emerging threats.