cbcvebase.
CVE-2025-66558
published 2025-12-05

CVE-2025-66558: Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to…

PriorityP420medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.23%
13.3th percentile
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

Affected

4 ranges
VendorProductVersion rangeFixed in
nextcloudsecurity-advisories< 1.4.21.4.2
nextcloudsecurity-advisories
nextcloudtwo-factor_webauthn>= 1.0.0 < 1.4.21.4.2
nextcloudtwo-factor_webauthn>= 2.0.0 < 2.4.12.4.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.