VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 1, 2026

CVE-2026-45275

CVE-2026-45275

Description

Nextcloud Approval app vulnerability allows unauthorized file sharing and privilege escalation, patched in v2.7.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud Approval app vulnerability allows unauthorized file sharing and privilege escalation, patched in v2.7.2.

Vulnerability

A privilege escalation vulnerability exists in the Nextcloud Approval app prior to version 2.7.2. This flaw allows a user who lacks sharing permissions to compel the system to share a file with approvers, bypassing authorization controls.

Exploitation

An attacker with user-level access can exploit this vulnerability by initiating a file approval process. This action forces the system to share the targeted file with designated approvers, regardless of the attacker's actual sharing permissions.

Impact

Successful exploitation results in an authorization bypass and privilege escalation. This allows an unauthorized user to distribute restricted files, leading to unauthorized access and potential data leakage.

Mitigation

This issue has been patched in version 2.7.2 of the Nextcloud Approval app. Users are recommended to upgrade to this version. If an upgrade is not immediately possible, the Approval app can be disabled as a workaround. No other workarounds are available [2].

References
  1. Authorization bypass in approval feature allows unauthorized file sharing with approvers

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
3460b69c2188

Merge pull request #392 from nextcloud/better-testing

https://github.com/nextcloud/approvalLukas SchaeferMar 16, 2026via nvd-ref
commitPR #392
3 files changed · +60 0
  • lib/Service/ApprovalService.php+4 0 modified
    @@ -451,6 +451,10 @@ public function request(int $fileId, int $ruleId, ?string $userId, bool $createS
 			return ['error' => $this->l10n->t('You do not have access to this file')];
 		}
 
+		if ($createShares && !$this->utilsService->userCanShareFile($fileId, $userId)) {
+			return ['error' => $this->l10n->t('You can not share this file')];
+		}
+
 		$rule = $this->ruleService->getRule($ruleId);
 		if (is_null($rule)) {
 			return ['error' => $this->l10n->t('Rule does not exist')];
  • lib/Service/UtilsService.php+17 0 modified
    @@ -134,6 +134,23 @@ public function userHasAccessTo(int $fileId, ?string $userId): bool {
 		return false;
 	}
 
+	/**
+	 * Check if user can share a given file
+	 *
+	 * @param int $fileId
+	 * @param string|null $userId
+	 * @return bool
+	 */
+	public function userCanShareFile(int $fileId, ?string $userId): bool {
+		$user = $this->userManager->get($userId);
+		if ($user instanceof IUser) {
+			$userFolder = $this->root->getUserFolder($userId);
+			$node = $userFolder->getFirstNodeById($fileId);
+			return $node !== null && $node->isShareable();
+		}
+		return false;
+	}
+
 	/**
 	 * @param string $name of the new tag
 	 * @return array
  • tests/unit/Service/ApprovalServiceTest.php+39 0 modified
    @@ -23,6 +23,8 @@
 
 use OCP\Share\IManager as IShareManager;
 
+use OCP\Share\IShare;
+
 use OCP\SystemTag\ISystemTagManager;
 use OCP\SystemTag\ISystemTagObjectMapper;
 
@@ -384,4 +386,41 @@ public function testApproval() {
 		$stateForUser1 = $this->approvalService->getApprovalState($fileToReject->getId(), 'user1');
 		$this->assertEquals(Application::STATE_REJECTED, $stateForUser1['state']);
 	}
+
+	public function testRequestWithCreateSharesWhenUserCannotShareReturnsError(): void {
+		// Share a file from user1 to user2 with read-only (no share permission).
+		// user2 has access but cannot share -> request with createShares true must return error.
+		$uf1 = $this->root->getUserFolder('user1');
+		$file = $uf1->newFile('file_no_share.txt', 'content');
+		$shared = $this->utilsService->createShare(
+			$file,
+			IShare::TYPE_USER,
+			'user2',
+			'user1',
+			'label'
+		);
+		$this->assertTrue($shared);
+
+		// Add some tags
+		$r = $this->utilsService->createTag('pending4');
+		$idTagPending4 = $r['id'];
+		$r = $this->utilsService->createTag('approved4');
+		$idTagApproved4 = $r['id'];
+		$r = $this->utilsService->createTag('rejected4');
+		$idTagRejected4 = $r['id'];
+
+		$r = $this->ruleService->createRule(
+			$idTagPending4, $idTagApproved4, $idTagRejected4,
+			[['entityId' => 'user3', 'type' => 'user']],
+			[['entityId' => 'user2', 'type' => 'user']],
+			'user 2 request, 3 approves',
+			false
+		);
+		$ruleId = $r['id'];
+
+		$result = $this->approvalService->request($file->getId(), $ruleId, 'user2', true);
+		$this->assertArrayHasKey('error', $result);
+
+		$this->ruleService->deleteRule($ruleId);
+	}
 }

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.