Skip to main content

Nextcloud CVE-2025-66558

| EUVD-2025-201460 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-12-05 security-advisories@github.com
Authentication Bypass Nextcloud
3.1
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 17:08 euvd
EUVD-2025-201460
Analysis Generated
Mar 15, 2026 - 17:08 vuln.today
Patch released
Mar 15, 2026 - 17:08 nvd
Patch available
CVE Published
Dec 05, 2025 - 18:15 nvd
LOW 3.1

DescriptionNVD

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

Analysis

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

Technical ContextAI

This vulnerability is classified as Authorization Bypass Through User-Controlled Key (CWE-639).

RemediationAI

A vendor patch is available. Apply it as soon as possible and verify the fix.

Share

CVE-2025-66558 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy