Critical Vulnerability Information Vulnerability Title Test remote endpoint is not rate limited Severity Level: Moderate CVSS v3 Base Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low Affected Versions Nextcloud Server: - Affected Versions: 28.0.13, 29.0.10, 30.0.3 - Fixed Versions: >= 28.0.0, >= 29.0.0, >= 30.0.0 Nextcloud Enterprise Server: - Affected Versions: 28.0.13, 29.0.10, 30.0.3 - Fixed Versions: >= 28.0.0, >= 29.0.0, >= 30.0.0 Description and Impact Description: A now-unused endpoint used for verifying share recipients was not properly protected, allowing proxy requests to another server. This endpoint has been removed. CVE ID: CVE-2025-47791 Weakness: CWE-918 Remediation Recommendations Patch: It is recommended to upgrade Nextcloud Server to version 28.0.13, 29.0.10, or 30.0.3. It is also recommended to upgrade Nextcloud Enterprise Server to version 28.0.13, 29.0.10, or 30.0.3. Additional Information Workarounds: No workarounds are available. References: PullRequest More Information: - Post on nextcloud/security-advisories. - Customers can open a support ticket at portal.nextcloud.com.