Vulnerability Description
The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Approval | >= 1.0.0, < 1.3.1 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e8Patch
- https://github.com/nextcloud/approval/pull/334Issue Tracking
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fPatchVendor Advisory
- https://hackerone.com/reports/3338748Issue TrackingVendor Advisory
FAQ
What is CVE-2025-66515?
CVE-2025-66515 is a vulnerability with a CVSS score of 2.7 (LOW). The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into ...
How severe is CVE-2025-66515?
CVE-2025-66515 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66515?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Approval.