CVE-2025-66556 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Nextcloud Talk, a video and audio conferencing application integrated into the Nextcloud platform. The flaw exists in versions prior to 20.1.8 and 21.1.2, where a participant with chat permissions can delete poll drafts created by other participants within the same conversation. This is possible because the application improperly authorizes actions based on a numeric poll draft ID that can be manipulated by the user, allowing unauthorized deletion of other users' poll drafts. The vulnerability does not expose confidential information nor does it impact system availability but compromises data integrity by allowing unauthorized modification of conversation content. Exploitation requires the attacker to have at least chat permissions and to interact with the application to specify the target poll draft ID. The issue was addressed in Nextcloud Talk versions 20.1.8 and 21.1.2 by enforcing proper authorization checks on poll draft deletion requests. The CVSS v3.1 base score is 3.5, reflecting low severity due to limited impact and required privileges. No known active exploits have been reported, indicating a low immediate threat but a potential risk if unpatched.

For European organizations, the primary impact of this vulnerability is the potential unauthorized modification of collaborative content within Nextcloud Talk conversations. This could undermine trust in meeting artifacts, disrupt decision-making processes, or cause confusion if poll drafts are deleted without authorization. While the confidentiality and availability of communications remain unaffected, the integrity of collaborative data is compromised. Organizations relying heavily on Nextcloud Talk for internal communications and decision-making may face operational inefficiencies or reputational damage if such unauthorized actions occur. Given the low CVSS score and the need for chat permissions, the risk is moderate but should not be ignored, especially in regulated sectors where data integrity is critical. The absence of known exploits reduces immediate risk but patching is essential to prevent future exploitation.

European organizations should immediately upgrade Nextcloud Talk to versions 20.1.8 or 21.1.2 or later to remediate this vulnerability. Administrators should audit user permissions to ensure that only trusted users have chat permissions, minimizing the risk of insider misuse. Implement monitoring and logging of poll draft deletion activities to detect unusual or unauthorized actions. Consider restricting poll draft deletion capabilities to higher privilege roles if feasible. Regularly review and update Nextcloud and its apps to the latest stable releases to benefit from security patches. Additionally, educate users about the importance of reporting unexpected changes in collaborative content. Employ network segmentation and access controls to limit exposure of Nextcloud services to only necessary users and networks. Finally, maintain an incident response plan to address any detected misuse promptly.