Authorization Bypass Through User-Controlled Key

CVE-2025-66556

Low

3.5/10

Summary

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-639 - Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

Advisory Timeline

Published Dec 05, 2025

Authorization Bypass Through User-Controlled Key

CVE-2025-66556

Summary

CWE-639 - Authorization Bypass Through User-Controlled Key

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS