CVE-2025-66545 LOW

CVE-2025-66545: Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin

Vendor Nextcloud
Product security-advisories
Weakness CWE-707
Published December 5, 2025
Last update December 8, 2025

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 8, 2025 Record updated