CVE-2025-66515 – This vulnerability in Nextcloud Approval app al... (How to Fix)

Q: What is the severity of CVE-2025-66515?

CVE-2025-66515 has a CVSS score of 2.7 (LOW). This vulnerability in Nextcloud Approval app allows authenticated users listed as requesters in workflows to mark other users' files as 'pending approval' without having access to those files, using only the numeric file ID. This affects Nextcloud instances using Approval app versions before 1.3.1 or 2.5.0 where workflow features are enabled.

📋 TL;DR

This vulnerability in Nextcloud Approval app allows authenticated users listed as requesters in workflows to mark other users' files as 'pending approval' without having access to those files, using only the numeric file ID. This affects Nextcloud instances using Approval app versions before 1.3.1 or 2.5.0 where workflow features are enabled.

💻 Affected Systems

Products:

Nextcloud Approval app

Versions: All versions before 1.3.1 and 2.5.0

Operating Systems: All platforms running Nextcloud

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Approval app to be installed and workflow features configured with users assigned as requesters.

📦 What is this software?

Approval by Nextcloud

View all CVEs affecting Approval →

Approval by Nextcloud

View all CVEs affecting Approval →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could disrupt business workflows by marking critical files as pending approval, potentially delaying important processes or creating confusion about file status.

🟠

Likely Case

Limited workflow disruption where users find their files unexpectedly marked for approval, requiring manual intervention to correct.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring, as the vulnerability doesn't allow file access or modification.

🌐 Internet-Facing: MEDIUM - Internet-facing Nextcloud instances are vulnerable if exposed to authenticated attackers, but exploitation requires specific workflow configurations.

🏢 Internal Only: MEDIUM - Internal users with requester roles could abuse this to disrupt workflows, though impact is limited to approval status changes.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of file IDs, but the technique is straightforward once those conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1 or 2.5.0

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5

Restart Required: No

Instructions:

1. Update Nextcloud Approval app to version 1.3.1 or 2.5.0 via Nextcloud app store or manual installation. 2. Verify the update completed successfully. 3. No server restart required.

🔧 Temporary Workarounds

Disable Approval app

linux

Temporarily disable the Approval app if immediate patching isn't possible

occ app:disable approval

Restrict requester roles

all

Review and limit users with requester roles in workflows to trusted personnel only

🧯 If You Can't Patch

Implement strict access controls on who can be assigned as requesters in workflows
Monitor approval workflow logs for unusual activity and file status changes

🔍 How to Verify

Check if Vulnerable:

Check Approval app version in Nextcloud admin settings or run: occ app:list | grep approval

Check Version:

occ app:list | grep approval

Verify Fix Applied:

Confirm Approval app version is 1.3.1 or higher (for v1 branch) or 2.5.0 or higher (for v2 branch)

📡 Detection & Monitoring

Log Indicators:

Unexpected file status changes to 'pending approval'
Approval requests from users not associated with the affected files

Network Indicators:

API calls to approval endpoints with file IDs not owned by the requester

SIEM Query:

source="nextcloud.log" AND "pending approval" AND user!="file_owner"

📊 Metadata

CVE ID: CVE-2025-66515

CVSS v3 Score: 2.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-287

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: December 5, 2025

Last Updated: December 9, 2025

🔗 References

https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4 Patch
https://github.com/nextcloud/approval/pull/334 Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5 Patch,Vendor Advisory
https://hackerone.com/reports/3338748 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66515, you might also want to check these: