CVE-2025-64011 — MEDIUM (4.3)

Vulnerability Description

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Server	30.0.0

Related Weaknesses (CWE)

CWE-639

References

https://drive.google.com/file/d/1eD3PN-u1caZYgGH96XHmJ7h_OBXEAHW4/view?usp=shariExploit
https://gist.github.com/tarekramm/586dfe2d113fedfee6d71182570fc090ExploitThird Party Advisory
https://nextcloud.comProduct

FAQ

What is CVE-2025-64011?

CVE-2025-64011 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other user...

How severe is CVE-2025-64011?

CVE-2025-64011 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-64011?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.