Skip to main content

Securedrop Client CVE-2026-35465

| EUVDEUVD-2026-23626 HIGH
External Control of File Name or Path (CWE-73)
2026-04-18 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 23, 2026 - 18:31 nvd
Patch available
Patch available
Apr 18, 2026 - 02:01 EUVD
Analysis Updated
Apr 18, 2026 - 01:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 01:22 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 01:10 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 01:00 euvd
EUVD-2026-23626
Analysis Generated
Apr 18, 2026 - 01:00 vuln.today
CVE Published
Apr 18, 2026 - 00:41 nvd
HIGH 7.5

DescriptionGitHub Advisory

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine (sd-app) by exploiting improper filename validation in gzip archive extraction, which permits absolute paths and enables overwriting critical files like the SQLite database. Exploitation requires prior compromise of the dedicated SecureDrop Server, which itself is hardened and only accessible via Tor hidden services. Despite the high attack complexity, the vulnerability is rated High severity due to its significant impact on confidentiality, integrity, and availability of decrypted source submissions. This issue is similar to CVE-2025-24888 but occurs through a different code path, and a more robust fix has been implemented in the replacement SecureDrop Inbox codebase. The issue has been fixed in version 0.17.5.

AnalysisAI

Path traversal in SecureDrop Client 0.17.4 and below allows a compromised SecureDrop Server to execute arbitrary code on journalist workstations by injecting malicious filenames during gzip archive extraction. The vulnerability enables overwriting the SQLite database and other critical files in the sd-app VM, potentially exposing decrypted source submissions. Fixed in version 0.17.5. No active exploitation confirmed (not in CISA KEV). CVSS 7.5 reflects high impact but complex attack chain requiring prior server compromise and user interaction. EPSS data not available, but real-world risk is constrained by the requirement to first breach a Tor-hidden, hardened server infrastructure.

Technical ContextAI

SecureDrop Client is a Qubes OS-based desktop application used by journalists to access submissions from confidential sources via the SecureDrop platform. The vulnerability (CWE-73: External Control of File Name or Path) stems from insufficient validation during gzip archive extraction. When processing archives from the server, the client fails to sanitize filenames containing absolute paths or directory traversal sequences. An attacker controlling the server can craft archives with malicious paths like '/home/user/.local/share/securedrop_client/svs.sqlite' to overwrite the application's SQLite database or other critical application files in the sd-app virtual machine. This attack vector differs from the similar CVE-2025-24888, occurring through an alternate code path in archive handling. The affected product is SecureDrop Client versions up to and including 0.17.4 (cpe:2.3:a:freedomofpress:securedrop-client:*:*:*:*:*:*:*:*). The vulnerability has been addressed with enhanced path validation in the SecureDrop Inbox replacement codebase.

RemediationAI

Upgrade SecureDrop Client to version 0.17.5 immediately, which contains the fix implemented in commit e518adaf897e7838467ccf9e1f28152ae6fe3655. The patch introduces robust filename validation during gzip archive extraction to prevent absolute paths and directory traversal sequences. SecureDrop operators should update through normal Qubes OS template and app VM update procedures as documented in SecureDrop Workstation administration guides. Until patching is complete, implement temporary compensating controls: restrict server access to only trusted administrators with multi-factor authentication, monitor server logs for unauthorized access or unusual archive creation activity, and consider deferring download of submissions if server compromise is suspected. Note that these mitigations do not eliminate risk if the server is already compromised, as malicious archives may have been planted prior to implementing controls. Organizations should also review server integrity and audit logs for indicators of prior compromise. The vendor advisory and commit details are available at https://github.com/freedomofpress/securedrop-client/security/advisories/GHSA-2jrc-x8fq-prvc and https://github.com/freedomofpress/securedrop-client/commit/e518adaf897e7838467ccf9e1f28152ae6fe3655.

Share

CVE-2026-35465 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy