CVE-2025-66553 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Nextcloud Tables app, which allows users to create custom tables with individual columns. In versions prior to 0.8.7 and between 0.9.0-beta.1 and 0.9.4, authenticated users could manipulate the numeric ID parameter in requests to access metadata of columns belonging to other users' tables. This flaw arises from insufficient authorization checks on user-controlled keys, enabling unauthorized read access to metadata that should be restricted. The vulnerability does not permit access to actual table data or modification of any content, limiting its impact to metadata disclosure. The CVSS 3.1 base score is 4.3 (medium), reflecting network attack vector, low complexity, requiring privileges (authenticated user), no user interaction, unchanged scope, limited confidentiality impact, and no integrity or availability impact. The flaw was publicly disclosed on December 5, 2025, with no known exploits in the wild. The issue is resolved in versions 0.8.7 and 0.9.4 by enforcing proper authorization checks on the numeric ID parameter to ensure users can only access metadata of their own tables. Nextcloud Tables is commonly used in collaborative environments for data organization within Nextcloud deployments, which are popular in enterprise and public sector organizations across Europe.

For European organizations, this vulnerability could lead to unauthorized disclosure of metadata about table structures within Nextcloud Tables, potentially revealing organizational data schemas or sensitive configuration details. While the direct confidentiality impact is limited to metadata and does not expose actual user data or allow data modification, such information could aid attackers in reconnaissance or facilitate further targeted attacks. Organizations in sectors with strict data privacy regulations (e.g., GDPR) may face compliance risks if unauthorized metadata disclosure is considered sensitive. The vulnerability requires authenticated access, so insider threats or compromised accounts pose the main risk vector. Given Nextcloud's widespread adoption in European public administrations, educational institutions, and enterprises, especially in Germany, France, the Netherlands, and the Nordics, the impact could be significant in these regions. However, the absence of known exploits and the medium severity rating suggest a moderate risk level if promptly mitigated.

European organizations should immediately identify Nextcloud Tables deployments running affected versions (<0.8.7 or >=0.9.0-beta.1 and <0.9.4) and upgrade to versions 0.8.7 or 0.9.4 or later where the vulnerability is fixed. In addition to patching, organizations should audit user permissions and access controls within Nextcloud to ensure that only authorized users have access to the Tables app and its metadata. Implement strict authentication and session management policies to reduce the risk of compromised accounts being used to exploit this flaw. Network segmentation and monitoring of Nextcloud API requests can help detect anomalous access patterns involving numeric ID manipulation. Security teams should also review logs for unusual access to metadata endpoints and consider deploying Web Application Firewalls (WAFs) with rules to block suspicious parameter tampering. Finally, raising user awareness about the importance of credential security will help mitigate risks from insider threats or account compromise.