Plattform
nextcloud
Komponente
approval
Behoben in
2.0.1
1.3.2
CVE-2025-66515 affects the Nextcloud Approval app, a component used to manage file approval workflows within Nextcloud. This vulnerability allows an authenticated user designated as a 'requester' in a workflow to place another user's file into a 'pending approval' state without needing direct access to that file. The issue impacts versions 2.0.0 through 2.4.9 and is resolved in version 2.5.0.
This vulnerability allows an attacker to bypass access controls within the Nextcloud Approval app. By manipulating the approval status of files, an attacker could potentially influence workflows, gain unauthorized access to sensitive data, or even trigger unintended actions based on the file's content or associated processes. While the CVSS score is LOW, the potential for unauthorized access and data exposure warrants immediate attention, especially in environments where file approval processes are critical for security or compliance. The ability to manipulate approval states could be leveraged to escalate privileges or gain a foothold within the Nextcloud instance.
This vulnerability was publicly disclosed on 2025-12-05. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is considered low, but diligent monitoring and patching are still recommended.
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-66515 is to upgrade the Nextcloud Approval app to version 2.5.0 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing stricter access controls within the Nextcloud environment. Review and restrict the permissions granted to users designated as 'requesters' in approval workflows. Monitor Nextcloud logs for suspicious activity related to file approval processes, specifically looking for unauthorized changes to file statuses. While a WAF cannot directly prevent this vulnerability, it can be configured to detect and block requests containing manipulated file IDs.
Aktualisieren Sie die Nextcloud Approval app auf Version 1.3.1 oder höher, oder auf Version 2.5.0 oder höher. Dies behebt die Schwachstelle, die es nicht autorisierten Benutzern ermöglicht, den Genehmigungsstatus von Dateien zu ändern. Die Aktualisierung kann über die Nextcloud-Admin-Oberfläche durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66515 is a LOW severity vulnerability in the Nextcloud Approval app that allows authenticated requesters to bypass file access controls and place files into a pending approval state without direct access.
You are affected if you are using the Nextcloud Approval app versions 2.0.0 through 2.4.9. Upgrade to version 2.5.0 or later to mitigate the vulnerability.
The recommended fix is to upgrade the Nextcloud Approval app to version 2.5.0 or later. Consider stricter access controls if immediate upgrading is not possible.
As of December 5, 2025, there are no publicly known exploits or active campaigns targeting CVE-2025-66515.
Refer to the official Nextcloud security advisory for CVE-2025-66515 on the Nextcloud website: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.