CVE-2025-66515

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4	Patch
https://github.com/nextcloud/approval/pull/334	Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5	Patch Vendor Advisory
https://hackerone.com/reports/3338748	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:approval::::::nextcloud::*
	cpe:2.3:a:nextcloud:approval::::::nextcloud::*

History

No history.

Information

Published : 2025-12-05 18:15

Updated : 2025-12-09 17:22

NVD link : CVE-2025-66515

Mitre link : CVE-2025-66515

CVE.ORG link : CVE-2025-66515

JSON object : View

Products Affected

nextcloud

approval

CWE

CWE-287

Improper Authentication

{"id": "CVE-2025-66515", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}]}, "published": "2025-12-05T18:15:57.623", "references": [{"url": "https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/approval/pull/334", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/3338748", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user\u2019s file into the \u201cpending approval\u201d without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0."}], "lastModified": "2025-12-09T17:22:18.077", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:approval:*:*:*:*:*:nextcloud:*:*", "vulnerable": true, "matchCriteriaId": "37339E72-6EB5-4D2D-82E4-EB81C9FC8E39", "versionEndExcluding": "1.3.1", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:approval:*:*:*:*:*:nextcloud:*:*", "vulnerable": true, "matchCriteriaId": "558060E7-4BE3-4E6F-93FD-4CF3584CDE96", "versionEndExcluding": "2.5.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}