← back
CVE-2025-66549

Nextcloud Desktop discloses information when attempting to lock a file inside a end-to-end encrypted directory

CVSS 2.4 LOWEPSS 0.2%CWE-209
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2.4EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
05 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Affected products
nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6https://github.com/nextcloud/desktop/pull/8330https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hwhttps://hackerone.com/reports/3159877