CVE-2026-45275
Privilege Escalation in Nextcloud Approval App
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | approval | to 2.7.2 (exc) |
| nextcloud | approval_app | to 2.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Approval app of Nextcloud versions prior to 2.7.2. It allows a user who does not have sharing permissions to bypass authorization controls and force the system to share a file with approvers.
As a result, unauthorized users can escalate their privileges and distribute restricted files without proper permission.
The issue has been fixed in version 2.7.2 of the Approval app.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized distribution of restricted files due to an authorization bypass and privilege escalation in the Nextcloud Approval app. This primarily impacts data confidentiality by enabling users without proper sharing permissions to share files with approvers.
Such unauthorized access and distribution of sensitive or restricted data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Therefore, if exploited, this vulnerability could result in violations of confidentiality requirements mandated by these regulations, potentially leading to legal and regulatory consequences.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized distribution of restricted files by users who should not have sharing permissions.
It results in an authorization bypass and privilege escalation, potentially exposing sensitive or confidential data.
The impact primarily affects data confidentiality, which could lead to data leaks or breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Nextcloud Approval app to version 2.7.2 or later, where the issue has been patched.
As a temporary workaround, you can disable the Approval app to prevent exploitation of the privilege escalation vulnerability.