Description
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59
Issue Tracking x_refsource_misc
https://github.com/nextcloud/server/pull/55657
Scores
CVSS v3
4.5
EPSS
0.0030
EPSS Percentile
21.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-359
Status
published
Products (2)
nextcloud/nextcloud_server
28.0.0 - 28.0.14.11
nextcloud/nextcloud_server
31.0.0 - 31.0.10
Published
Dec 05, 2025
Tracked Since
Feb 18, 2026