CVE-2025-66552 MEDIUM

CVE-2025-66552: Nextcloud Server admin_audit does not log all actions on files in groupfolders

Vendor Nextcloud
Product security-advisories
Weakness CWE-778
Published December 5, 2025
Last update December 5, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 5, 2025 Record updated