CVE-2025-47794

Summary

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix the issue. No known workarounds are available.

Affected Software

VendorProductVersion RangeStatus
nextcloudsecurity-advisories>= 26.0.0, < 26.0.13.13affected
nextcloudsecurity-advisories>= 27.0.0, < 27.1.11.13affected
nextcloudsecurity-advisories>= 28.0.0, < 28.0.14.4affected
nextcloudsecurity-advisories>= 29.0.0, < 29.0.13affected
nextcloudsecurity-advisories>= 30.0.0, < 30.0.7affected
nextcloudsecurity-advisories>= 31.0.0, < 31.0.1affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References