Description
Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2.
Published: 2026-06-01
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to discover whether any arbitrary file is linked to an approval workflow in Nextcloud’s Approval app. By supplying a file identifier via the exposed parameter, an attacker can learn which workflows apply to that file, revealing sensitive metadata about internal processes. This is a classic information‑disclosure weakness (CWE‑200) and does not provide access to the file contents or other system functions.

Affected Systems

Nextcloud users running the Approval app before version 2.7.2 are affected. The issue was fixed in the 2.7.2 release, so any deployment of earlier versions is vulnerable.

Risk and Exploitability

The CVSS score of 3.3 denotes low severity; the flaw is exploitable only by authenticated users, suggesting the attack vector involves a legitimate session within the application. Because the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, there is no known widespread exploitation. However, any user with administrative or normal access could use the exposed API to enumerate approval workflow associations.

Generated by OpenCVE AI on June 1, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nextcloud Approval app to version 2.7.2 or later
  • If upgrading is not immediately possible, limit the use of the Approval app to the minimum necessary user groups and review access permissions
  • Disable the Approval app for users who do not require workflow functionality, or remove sensitive workflow associations from public interfaces

Generated by OpenCVE AI on June 1, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2.
Title Nextcloud: Information disclosure in Nextcloud Approval app via fileId parameter reveals workflow associations
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T21:43:17.556Z

Reserved: 2026-05-11T18:41:13.157Z

Link: CVE-2026-45277

cve-icon Vulnrichment

Updated: 2026-06-01T21:43:11.839Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T19:16:49.677

Modified: 2026-06-02T14:00:31.067

Link: CVE-2026-45277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:45:22Z

Weaknesses