Nextcloud talk allows participants to blindly delete poll drafts of...

3.5 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

Basic Information

ID CVE-2025-66556

Source GitHub_M

Published Dec 5, 2025 at 17:56

Modified Dec 5, 2025 at 18:09

Affected Product

Vendor nextcloud

Product security-advisories

Version < 20.1.8

Affected Versions nextcloud security-advisories < 20.1.8
nextcloud security-advisories >= 21.0.0-beta.1, < 21.1.2

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.",
    "published": "2025-12-05T17:56:44.463Z",
    "modified": "2025-12-05T18:09:34.326Z",
    "type": "cve",
    "title": "Nextcloud talk allows participants to blindly delete poll drafts of other users by ID",
    "source": "GitHub_M",
    "references": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pr9f-vqgg-m2jh\nhttps://github.com/nextcloud/spreed/pull/15532\nhttps://github.com/nextcloud/spreed/commit/bd68e80d1dea98d84c1d621c2c681238cf041725\nhttps://hackerone.com/reports/3247386",
    "id": "CVE-2025-66556",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "nextcloud security-advisories < 20.1.8\nnextcloud security-advisories >= 21.0.0-beta.1, < 21.1.2",
    "sourceHref": "",
    "cvss": {
        "score": 3.5,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "security-advisories",
    "version": "< 20.1.8",
    "vendor": "nextcloud",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Nextcloud talk allows participants to blindly delete poll drafts of other users by ID_CVE-2025-66556