Platform
nextcloud
Component
approval
Fixed in
2.0.1
1.3.2
CVE-2025-66515 affects the Nextcloud Approval app, a component used to manage file approval workflows within Nextcloud. This vulnerability allows an authenticated user designated as a 'requester' in a workflow to place another user's file into a 'pending approval' state without needing direct access to that file. The issue impacts versions 2.0.0 through 2.4.9 and is resolved in version 2.5.0.
The primary impact of CVE-2025-66515 is the potential for unauthorized access and manipulation of file approval workflows. An attacker, acting as a requester, could leverage this vulnerability to force files belonging to other users into a pending approval state, effectively bypassing standard access controls. While the vulnerability is rated as LOW severity, it could be exploited to disrupt workflows, potentially expose sensitive data if approval processes are critical for data security, or be chained with other vulnerabilities to escalate privileges. This bypass could be particularly concerning in environments where file approval is a key security control.
CVE-2025-66515 has a LOW CVSS score and, as of the publication date (2025-12-05), there are no publicly known exploits or active campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS. The vulnerability's impact is limited by the requirement for an authenticated user with 'requester' privileges, which reduces the overall attack surface. However, organizations should prioritize patching to prevent potential exploitation.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66515 is to upgrade the Nextcloud Approval app to version 2.5.0 or later. If immediate upgrading is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter access controls within Nextcloud to limit the number of users with 'requester' roles in approval workflows. Review existing approval workflows and identify any potential points of abuse. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for unusual approval activity and flag suspicious requests. After upgrading, confirm the fix by attempting to trigger the approval bypass scenario with a user account designated as a requester and verifying that the file access control remains enforced.
Update the Nextcloud Approval app to version 1.3.1 or higher, or to version 2.5.0 or higher. This will correct the vulnerability that allows unauthorized users to change the approval status of files. The update can be performed through the Nextcloud administration interface.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66515 is a LOW severity vulnerability in the Nextcloud Approval app that allows authenticated requesters to bypass file access controls and place files into a pending approval state without direct access.
You are affected if you are using the Nextcloud Approval app versions 2.0.0 through 2.4.9. Upgrade to version 2.5.0 or later to mitigate the vulnerability.
The recommended fix is to upgrade the Nextcloud Approval app to version 2.5.0 or later. Consider stricter access controls if immediate upgrading is not possible.
As of December 5, 2025, there are no publicly known exploits or active campaigns targeting CVE-2025-66515.
Refer to the official Nextcloud security advisory for CVE-2025-66515 on the Nextcloud website: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.