Impact Analysis

This vulnerability can lead to information disclosure where authenticated users with low privileges can determine if arbitrary files are linked to approval workflows. While it does not allow modification or deletion of files, it exposes potentially sensitive workflow association information.

The impact is rated as low severity with a CVSS score of 3.3, requiring local access and low privileges, and no user interaction. However, unauthorized disclosure of workflow associations could aid attackers in understanding internal processes or targeting specific files.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45277 is a vulnerability in the Nextcloud Approval app affecting versions prior to 2.7.2. It allows authenticated users to check if arbitrary files are associated with specific approval workflows where they can request approval. This means that users with low privileges can gain information about workflow associations of files they might not otherwise have access to.

The issue arises from insufficient access permission checks related to the fileId parameter, which was addressed by an improved permission check introduced in a code update merged in early 2026.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Nextcloud Approval app versions prior to 2.7.2, where authenticated users can check if arbitrary files are associated with approval workflows. Detection would involve verifying the version of the Approval app installed and monitoring for suspicious use of the fileId parameter in requests.

Specifically, you can check the installed version of the Nextcloud Approval app to see if it is older than 2.7.2.

• Use Nextcloud's occ command line tool to list app versions: `sudo -u www-data php occ app:list` and look for the Approval app version.
• Monitor web server logs for requests containing the `fileId` parameter to the Approval app endpoints, which might indicate attempts to exploit the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Nextcloud Approval app to version 2.7.2 or later, where the vulnerability has been patched.

If upgrading immediately is not possible, the only other option is to disable the Approval app entirely to prevent exploitation.

Since the vulnerability requires authenticated access with low privileges and no user interaction, limiting user access and monitoring for suspicious activity can also help reduce risk.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users to check if arbitrary files are associated with specific approval workflows, potentially disclosing information about workflow associations to unauthorized users.

While the impact is rated as low and the disclosure is limited to workflow associations rather than the file contents themselves, such information disclosure could have implications for compliance with data protection regulations like GDPR or HIPAA if it leads to unauthorized exposure of sensitive process-related metadata.

However, the provided information does not explicitly state any direct compliance violations or regulatory impacts caused by this vulnerability.

Useful 0 Not Useful 0