{"id":"CVE-2025-47794","summary":"Nextcloud Server vulnerable to insecure temporary file creation, race with write access and permission","details":"Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix the issue. No known workarounds are available.","aliases":["GHSA-q568-2933-gcjq"],"modified":"2026-04-02T12:50:25.913217Z","published":"2025-05-16T14:35:25.280Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47794.json","cwe_ids":["CWE-284"]},"references":[{"type":"WEB","url":"https://hackerone.com/reports/1960647"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47794.json"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q568-2933-gcjq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47794"},{"type":"FIX","url":"https://github.com/nextcloud/server/pull/51194"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/server","events":[{"introduced":"36ae775aa7c9af22bf33645a2d8807206ec6c85f"},{"fixed":"dab944fd6a9c1cdc354d056275a438a2e9896455"}],"database_specific":{"versions":[{"introduced":"29.0.0"},{"fixed":"29.0.13"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/server","events":[{"introduced":"656488893e2175e19fbe273d76a5e16a598000c7"},{"fixed":"5dd6bf7d216ec1a0d53182cd999de41e9065c3d7"}],"database_specific":{"versions":[{"introduced":"30.0.0"},{"fixed":"30.0.7"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/server","events":[{"introduced":"051e46a7a272300cf7c90b3e330fd1501fd6a996"},{"fixed":"ca86133382c6efb7c0eb82e5b9806a84bad2b9dc"}],"database_specific":{"versions":[{"introduced":"31.0.0"},{"fixed":"31.0.1"}]}}],"versions":["v29.0.0","v29.0.1","v29.0.10","v29.0.10rc1","v29.0.11","v29.0.11rc1","v29.0.12","v29.0.12rc1","v29.0.12rc2","v29.0.13rc1","v29.0.13rc2","v29.0.1rc1","v29.0.2","v29.0.2rc1","v29.0.2rc2","v29.0.3","v29.0.3rc1","v29.0.3rc2","v29.0.3rc3","v29.0.3rc4","v29.0.4","v29.0.4rc1","v29.0.5","v29.0.5rc1","v29.0.6","v29.0.6rc1","v29.0.7","v29.0.7rc1","v29.0.8","v29.0.8rc1","v29.0.9","v29.0.9rc1","v29.0.9rc2","v30.0.0","v30.0.1","v30.0.1rc1","v30.0.1rc2","v30.0.2","v30.0.2rc1","v30.0.2rc2","v30.0.3","v30.0.3rc1","v30.0.3rc2","v30.0.4","v30.0.4rc1","v30.0.5","v30.0.5rc1","v30.0.6","v30.0.6rc1","v30.0.6rc2","v30.0.7rc1","v30.0.7rc2","v31.0.0","v31.0.1rc1","v31.0.1rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47794.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"}]}