CVE-2026-45277: Nextcloud Approval Information Disclosure Vulnerability
Nextcloud's approval workflow feature contains an information disclosure flaw that allows authenticated users to determine whether arbitrary files are connected to specific approval processes. An attacker with valid credentials can probe the system to learn if particular files have approval workflows attached, potentially revealing organizational file structures and approval dependencies that should remain confidential. The issue affects versions prior to 2.7.2 and does not require user interaction to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45277 is a CWE-200 information disclosure vulnerability in Nextcloud Approval. The vulnerability exists because the approval workflow query mechanism does not properly restrict file association queries to only those workflows an authenticated user has legitimate access to. Prior to version 2.7.2, an authenticated attacker can send crafted requests to check file-to-workflow relationships across the system, bypassing intended access controls. The attack surface is local (AV:L) and requires low attack complexity (AC:L), but does mandate valid authentication credentials (PR:L). No user interaction is required (UI:N), and the impact is limited to confidentiality (C:L) with no integrity or availability consequences.
Business impact
This vulnerability poses a moderate operational risk centered on information leakage. Attackers with valid Nextcloud accounts can map organizational file structures and approval workflows without authorization, potentially discovering sensitive approval processes, document hierarchies, or departmental file organization. While the vulnerability does not alter or delete data, the reconnaissance capability could inform social engineering, targeted data exfiltration, or workflow manipulation attacks. Organizations relying on approval workflows as part of compliance or data governance frameworks may face audit concerns if unauthorized file association queries occur at scale.
Affected systems
The Nextcloud Approval application in versions prior to 2.7.2 is affected. This encompasses all deployments running Nextcloud with the Approval app enabled on versions 2.7.1 and earlier. Organizations using the Approval app for document or workflow approvals are in scope; standard Nextcloud installations without the Approval app are unaffected.
Exploitability
Exploitation requires valid Nextcloud authentication credentials, preventing unauthenticated attacks. The technical barrier is low: an attacker with any valid account can programmatically query the approval workflow API to enumerate file associations. The low CVSS score (3.3) reflects the authentication requirement and limited impact scope (confidentiality only), but the ease of exploitation once inside the system is notable. Insider threats and compromised low-privilege accounts present the primary risk vector.
Remediation
Upgrade Nextcloud Approval to version 2.7.2 or later. This patched version implements proper authorization checks to prevent authenticated users from querying file-workflow associations outside their permitted scope. Organizations should prioritize patching in environments where the Approval app is actively used for document governance or compliance workflows.
Patch guidance
Administrators should verify their current Nextcloud Approval version and upgrade to 2.7.2 or later through standard Nextcloud update channels. Test the upgrade in a staging environment first to confirm compatibility with existing approval workflows and integrations. The patch should be treated as routine but non-emergency given the low CVSS score and authentication requirement; schedule within normal maintenance windows unless your environment has strict data governance requirements.
Detection guidance
Monitor Nextcloud application logs for unusual patterns in approval workflow API queries, particularly requests probing file associations across multiple workflows or users with limited permissions. Look for authenticated sessions performing bulk or sequential queries to workflow endpoints without corresponding business justification. Implement alerting on high-volume approval API calls from single users or service accounts. Network-level detection is limited due to the legitimate use of approval APIs; behavioral analysis at the application layer is more effective.
Why prioritize this
This vulnerability merits standard-priority patching rather than emergency response. The low CVSS score, authentication prerequisite, and information-disclosure-only impact place it below critical infrastructure risks. However, organizations with strict data governance, compliance audits involving workflow integrity, or high-value approval processes should prioritize it within the next patch cycle. The ease of exploitation once inside the network and potential for reconnaissance warrants faster remediation in high-security environments.
Risk score, explained
The CVSS 3.1 score of 3.3 (LOW) reflects a low-impact information disclosure vulnerability requiring valid credentials. The local attack vector (AV:L) and low complexity (AC:L) indicate minimal technical barriers post-authentication. The privacy impact (C:L) is limited—leaked information is scoped and does not cascade into system compromise. The absence of integrity or availability impact further constrains the score. Organizations should interpret this as low absolute risk but should not dismiss the reconnaissance value an attacker gains.
Frequently asked questions
Does this vulnerability allow an attacker to access the content of files?
No. CVE-2026-45277 only discloses whether files are associated with approval workflows. An attacker cannot read file contents, download files, or modify approvals through this vulnerability. The risk is limited to learning metadata about workflow attachments.
Can unauthenticated users exploit this vulnerability?
No. Valid Nextcloud credentials are required to exploit this issue. The vulnerability is primarily a concern for insider threats, compromised accounts, or organizations with overly permissive user access policies.
How urgent is patching if we use Nextcloud but not the Approval app?
If the Approval app is not deployed, this vulnerability does not affect your installation. Verify which apps are enabled in your Nextcloud instance. Patching is only necessary for organizations actively using the Nextcloud Approval module.
What should we do if we suspect unauthorized approval workflow queries in our logs?
Review application logs for the timeframe of suspected queries, identify the source account or IP, and assess whether the queries align with legitimate business activity. If the source cannot be justified, reset credentials, audit that account's recent activity, and consider implementing approval API rate-limiting or query logging enhancements.
This analysis is based on publicly available CVE data and vendor disclosures as of the publication date. CVSS scores and vulnerability severity are subject to organizational context and risk tolerance; review vendor advisories and security bulletins for the most current information. SEC.co does not provide legal, compliance, or procurement advice. Organizations should conduct their own risk assessments and validation of patch compatibility before deployment. Exploit code and detailed attack vectors are not provided in this analysis. Always verify patch version numbers and availability against official Nextcloud release notes before implementation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45286MEDIUMNextcloud Calendar User Enumeration via Attendee Endpoint
- CVE-2026-10011LOWChrome Skia Cross-Origin Data Leak
- CVE-2026-45683LOWOpenTelemetry eBPF Instrumentation Kernel Memory Disclosure
- CVE-2026-45739LOWStrawberry GraphQL Credential Exposure in GraphiQL Headers
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)