CVE-2025-47794

LOW

Nextcloud Server < 26.0.13.13 - Improper Access Control

Title source: rule

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix the issue. No known workarounds are available.

References (3)

[Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q568-2933-gcjq

[Issue Tracking] https://github.com/nextcloud/server/pull/51194

[Permissions Required] https://hackerone.com/reports/1960647

Scores

CVSS v3 2.6

EPSS 0.0003

EPSS Percentile 8.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-284

Status published

Affected Products (2)

nextcloud/nextcloud_server < 26.0.13.13

nextcloud/nextcloud_server < 29.0.13

Timeline

Published May 16, 2025

Tracked Since Feb 18, 2026