Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 5, 2025

Nextcloud Approval app allows users to request approval for other users file

CVE-2025-66515

Description

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

Affected products

Nextcloud/Approvalllm-create
Range: >1.3.1, >2.5.0
nextcloud/security-advisoriesv5
Range: >= 2.0.0, < 2.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4mitrex_refsource_MISC
github.com/nextcloud/approval/pull/334mitrex_refsource_MISC
github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5mitrex_refsource_CONFIRM
hackerone.com/reports/3338748mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000