CVE-2025-66515

CWE-287 — Improper Authentication2 documents2 sources

Severity

2.7LOW

EPSS

0.0%

top 93.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Approval

Timeline

PublishedDec 5

Description

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/approval1.0.0 — 1.3.1+1

▶CVEListV5nextcloud/security-advisories< 1.3.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Approval app allows users to request approval for other users file↗2025-12-05

▶