CVE-2025-47794
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
16/05/2025
Last modified:
30/09/2025
Description
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix the issue. No known workarounds are available.
Impact
Base Score 3.x
2.60
Severity 3.x
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:* | 26.0.0 (including) | 26.0.13.13 (excluding) |
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:* | 27.0.0 (including) | 27.1.11.13 (excluding) |
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:* | 28.0.0 (including) | 28.0.14.4 (excluding) |
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:* | 29.0.0 (including) | 29.0.13 (excluding) |
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:* | 29.0.0 (including) | 29.0.13 (excluding) |
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:* | 30.0.0 (including) | 30.0.7 (excluding) |
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:* | 30.0.0 (including) | 30.0.7 (excluding) |
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:* | 31.0.0 (including) | 31.0.1 (excluding) |
| cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:* | 31.0.0 (including) | 31.0.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page