CVE-2025-66557 is an improper access control vulnerability classified under CWE-284 affecting Nextcloud Deck, a kanban-style project and personal planning tool integrated with Nextcloud. The flaw exists in the permission logic of versions prior to 1.14.6 and between 1.15.0-beta.1 and 1.15.2, where users granted the 'Can share' permission can modify the permissions of other recipients beyond their intended scope. This permission escalation flaw enables an attacker with limited privileges to alter access rights of other users, potentially granting themselves or others higher privileges or disrupting project collaboration workflows. The vulnerability is remotely exploitable over the network without requiring user interaction but does require the attacker to have at least limited privileges ('Can share'). The CVSS 3.1 base score is 5.4 (medium severity), reflecting the moderate impact on integrity and availability but no confidentiality loss. No known exploits have been reported in the wild as of the publication date. The issue was addressed by Nextcloud in versions 1.14.6 and 1.15.2 by correcting the permission logic to prevent unauthorized modification of recipient permissions. Organizations using vulnerable versions should prioritize patching to prevent potential misuse. The vulnerability highlights the importance of strict access control enforcement in collaborative tools to prevent privilege escalation and unauthorized modifications.

For European organizations, this vulnerability poses a risk to the integrity and availability of project management data and collaboration workflows within Nextcloud Deck. Unauthorized permission changes could lead to data manipulation, disruption of team coordination, or unauthorized access to sensitive project information. This could impact productivity and trust in collaborative environments, especially in sectors relying heavily on Nextcloud for internal project management such as government, education, and enterprises. While confidentiality is not directly affected, the ability to alter permissions can indirectly expose sensitive data if permissions are escalated improperly. The medium severity rating indicates a moderate risk, but the ease of exploitation by users with limited privileges increases the threat surface. Organizations with decentralized teams and extensive use of Nextcloud Deck are particularly vulnerable to insider threats exploiting this flaw. The absence of known exploits suggests limited active attacks currently, but the vulnerability remains a significant risk until patched.

To mitigate this vulnerability, European organizations should immediately upgrade Nextcloud Deck to version 1.14.6 or 1.15.2 or later, where the permission logic flaw is fixed. In addition to patching, organizations should conduct a thorough audit of user permissions within Nextcloud Deck to identify and remediate any unauthorized permission changes that may have occurred. Implement strict role-based access control policies to limit the assignment of 'Can share' permissions only to trusted users. Enable detailed logging and monitoring of permission changes to detect suspicious activities early. Consider deploying network segmentation and access controls to restrict Nextcloud access to authorized personnel only. Educate users about the risks of permission misuse and enforce least privilege principles. Regularly review and update Nextcloud and its components to incorporate security patches promptly. If upgrading immediately is not feasible, temporarily restrict 'Can share' permissions to essential users only to reduce exploitation risk.