Nextcloud Groupfolders R/O Users Can Restore Trash Before v14.0.11
CVE-2025-66545 Published on December 5, 2025
Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin
Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.
Vulnerability Analysis
CVE-2025-66545 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Improper Neutralization
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Products Associated with CVE-2025-66545
Want to know whenever a new CVE is published for Nextcloud? stack.watch will email you.
Affected Versions
nextcloud security-advisories:- Version < 14.0.11 is affected.
- Version >= 15.0.0-beta1, < 15.3.12 is affected.
- Version >= 16.0.0, < 16.0.15 is affected.
- Version >= 17.0.0-beta.1, < 17.0.14 is affected.
- Version >= 18.0.0-beta.1, < 18.1.8 is affected.
- Version >= 19.0.0-alpha.1, < 19.1.8 is affected.
- Version >= 20.0.0, < 20.1.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.