Privilege Escalation in Nextcloud Approval App (Before 2.7.2)
CVE-2026-45275 Published on June 1, 2026

Nextcloud: Authorization bypass in approval feature allows unauthorized file sharing with approvers
Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to force the system to share a file with approvers. This results in an authorization bypass and privilege escalation, allowing unauthorized distribution of restricted files. This issue has been patched in version 2.7.2.

NVD

Vulnerability Analysis

CVE-2026-45275 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVE-2026-45275 has been classified to as an AuthZ vulnerability or weakness.


Affected Versions

nextcloud security-advisories Version < 2.7.2 is affected by CVE-2026-45275