Home > Vulnerability Database > CVE-2025-66515

Mend.io Vulnerability Database

CVE-2025-66515

Good to know:

Date: December 5, 2025

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

Severity Score

2.7

Related Resources (6)

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5

Url: https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4

Url: https://hackerone.com/reports/3338748

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66515

Url: https://github.com/nextcloud/approval/pull/334

Url: https://www.mend.io/vulnerability-database/CVE-2025-66515

Severity Score

2.7

Weakness Type (CWE)

Improper Authentication

CWE-287

Top Fix

Upgrade Version

Upgrade to version https://github.com/nextcloud/approval.git - v1.3.1;https://github.com/nextcloud/approval.git - v2.5.0

Learn More

CVSS v3.1

Base Score:	2.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66515

Good to know:

Date: December 5, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?