CVE-2026-45277 Overview
CVE-2026-45277 is an information disclosure vulnerability in the Nextcloud Approval app, an open source content collaboration extension for the Nextcloud platform. Versions prior to 2.7.2 allow authenticated users to determine whether arbitrary files are associated with specific approval workflows for which they can request approval. The flaw maps to CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Nextcloud patched the issue in version 2.7.2.
Critical Impact
Authenticated local users can confirm the existence of files tied to approval workflows, leaking metadata about resources outside their normal visibility.
Affected Products
- Nextcloud Approval app versions prior to 2.7.2
- Nextcloud server deployments running the vulnerable Approval extension
- Component identifier: nextcloud:approval
Discovery Timeline
- 2026-06-01 - CVE-2026-45277 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45277
Vulnerability Analysis
The Nextcloud Approval app implements workflows that let designated users request approval for specific files. The vulnerable code path accepts a file identifier from an authenticated user and reports whether that file is bound to a workflow the user can submit for approval. The response distinguishes between files associated with an in-scope workflow and files that are not, regardless of whether the requesting user has read access to the target file. This behavior turns the endpoint into an oracle for file existence and workflow assignment.
The vulnerability is classified as information exposure rather than data exfiltration. Attackers do not retrieve file contents, but they learn the presence and workflow context of arbitrary file identifiers. The impact is confidentiality-only, with no effect on integrity or availability of the Nextcloud instance.
Root Cause
The Approval app failed to enforce a per-file access check before evaluating workflow association. The handler validated the requesting user's permission to interact with the workflow but did not verify that user's permission on the file referenced in the query. This omission is a classic broken access control pattern in business logic.
Attack Vector
Exploitation requires an authenticated account on the Nextcloud instance with permission to request approvals on at least one workflow. The attacker iterates file identifiers against the vulnerable endpoint and observes the response to enumerate files attached to workflows. The attack vector is local to the application context and does not require user interaction. Refer to the GitHub Security Advisory GHSA-h7gm-vgxr-9hcw and HackerOne Report #3475210 for additional context.
Detection Methods for CVE-2026-45277
Indicators of Compromise
- Repeated authenticated requests from a single account to Approval app endpoints that reference sequential or enumerated file identifiers.
- Anomalous volume of workflow-association lookups originating from accounts that rarely interact with the Approval app.
- Approval app log entries showing lookups for file identifiers the requesting user does not otherwise access.
Detection Strategies
- Review Nextcloud audit logs for high-frequency calls to Approval app routes tied to file-to-workflow checks.
- Correlate user session activity with file identifier ranges queried through the Approval app to surface enumeration patterns.
- Alert on authenticated users who query workflow association for files they have never opened or downloaded.
Monitoring Recommendations
- Enable verbose logging in the Nextcloud Approval app and ship logs to a centralized analytics platform for retention and review.
- Track the installed version of the Approval app across all Nextcloud instances and flag any deployment below 2.7.2.
- Establish a baseline of normal Approval app request rates per user and alert on deviations.
How to Mitigate CVE-2026-45277
Immediate Actions Required
- Upgrade the Nextcloud Approval app to version 2.7.2 or later on every Nextcloud instance.
- Audit accounts authorized to request approvals and remove permissions for users who do not need them.
- Review recent Approval app activity for evidence of file identifier enumeration prior to patching.
Patch Information
The fix is delivered in Nextcloud Approval 2.7.2. The code change is published in Nextcloud Approval Pull Request #356 and described in the GitHub Security Advisory GHSA-h7gm-vgxr-9hcw. Administrators should apply the upgrade through the Nextcloud app store or by deploying the updated package directly.
Workarounds
- Disable the Approval app on affected Nextcloud instances until the upgrade to 2.7.2 is completed.
- Restrict approval workflow membership to a minimal set of trusted users to reduce the population of accounts that can probe the endpoint.
- Place the Nextcloud instance behind authenticated access controls and monitor for suspicious automated requests.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
