Skip to main content

Nextcloud Approval CVE-2026-45277

| EUVDEUVD-2026-33703 LOW
Information Exposure (CWE-200)
2026-06-01 GitHub_M
3.3
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:34 vuln.today
Analysis Generated
Jun 01, 2026 - 19:34 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2.

AnalysisAI

Information disclosure in the Nextcloud Approval app prior to version 2.7.2 allows authenticated users to enumerate whether arbitrary files are enrolled in approval workflows, regardless of their access rights to those files. The root cause (CWE-200) is a missing file-access authorization check in ApprovalService.php before workflow association queries are processed, confirmed by the patch diff in PR #356. No public exploit exists and no active exploitation is confirmed; the practical impact is limited to organizational workflow metadata leakage rather than file content exposure.

Technical ContextAI

The affected component is the Nextcloud Approval app, a Nextcloud plugin managing file-based approval workflows. The flaw resides in the getBasicUserRules() method of lib/Service/ApprovalService.php, which accepted a file ID parameter and returned workflow association data without first verifying whether the requesting user had read access to the referenced file. This creates an authorization oracle: by iterating numeric Nextcloud file IDs, an authenticated user can probe the approval subsystem and infer workflow membership for files they cannot access. The patch (PR #356) inserts a call to $this->utilsService->userHasAccessTo($fileId, $userId) before any workflow logic executes, throwing an InvalidArgumentException for unauthorized file IDs. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) correctly classifies this as a missing pre-condition access control check. The CPE string cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:* is a repository-level identifier; the specific affected artifact is the Nextcloud Approval app.

RemediationAI

Upgrade the Nextcloud Approval app to version 2.7.2 or later, which is confirmed as the vendor-released patch per the GitHub security advisory GHSA-h7gm-vgxr-9hcw. The fix is available in upstream PR #356 (https://github.com/nextcloud/approval/pull/356) and should be applied via the Nextcloud app store or manual update. No documented workarounds exist short of disabling the Approval app entirely if upgrade is not immediately possible - disabling the app eliminates the attack surface but also removes all approval workflow functionality. Administrators in sensitive deployments should prioritize this update even given the low CVSS score if workflow enrollment metadata is considered confidential organizational information.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-45277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy