Nextcloud Approval app allows users to request approval for other...

2.7 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Description

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

Basic Information

ID CVE-2025-66515

Source GitHub_M

Published Dec 5, 2025 at 17:37

Modified Dec 5, 2025 at 18:10

Affected Product

Vendor nextcloud

Product security-advisories

Version >= 2.0.0, < 2.5.0

Affected Versions nextcloud security-advisories >= 2.0.0, < 2.5.0
nextcloud security-advisories < 1.3.1

CWE Classification

CWE-287

References

{
    "lastseen": "",
    "description": "The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user\u2019s file into the \u201cpending approval\u201d without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.",
    "published": "2025-12-05T17:37:06.767Z",
    "modified": "2025-12-05T18:10:00.615Z",
    "type": "cve",
    "title": "Nextcloud Approval app allows users to request approval for other users file",
    "source": "GitHub_M",
    "references": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5\nhttps://github.com/nextcloud/approval/pull/334\nhttps://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4\nhttps://hackerone.com/reports/3338748",
    "id": "CVE-2025-66515",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "nextcloud security-advisories >= 2.0.0, < 2.5.0\nnextcloud security-advisories < 1.3.1",
    "sourceHref": "",
    "cvss": {
        "score": 2.7,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "security-advisories",
    "version": ">= 2.0.0, < 2.5.0",
    "vendor": "nextcloud",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Nextcloud Approval app allows users to request approval for other users file_CVE-2025-66515