Skip to main content

KDE Dolphin CVE-2026-41525

| EUVDEUVD-2026-26003 MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-04-28 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 28, 2026 - 20:23 nvd
Patch available
Patch available
Apr 28, 2026 - 09:01 EUVD
Analysis Generated
Apr 28, 2026 - 08:00 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 07:30 euvd
EUVD-2026-26003
Analysis Generated
Apr 28, 2026 - 07:30 vuln.today
CVE Published
Apr 28, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)

AnalysisAI

KDE Dolphin before 25.12.3 allows sandboxed applications (running under Flatpak or AppArmor confinement) to bypass sandbox restrictions and open arbitrary files outside their containment boundary through the FileManager1 D-Bus protocol implementation. An attacker controlling a sandboxed application can exploit this to access sensitive files or execute scripts with user interaction, circumventing the intended isolation model.

Technical ContextAI

KDE Dolphin implements the FileManager1 D-Bus protocol, a system-level service that allows applications to request file manager operations. The vulnerability exists because Dolphin's protocol handler accepts arbitrary file paths without validating whether the requesting application has sandbox permission to access those paths. CWE-669 (Incorrect Resource Transfer Between Spheres) describes the root cause: resources (file paths) are transferred from a confined application context to an unconfined file manager without proper boundary enforcement. When a Flatpak or AppArmor-confined application calls FileManager1 methods with an absolute path, Dolphin opens that path in its own context, which runs outside the sandbox and thus has access to the host filesystem. The implementation compounds the risk by defaulting to a user-consent prompt for executable files rather than a deny-by-default policy.

RemediationAI

Upgrade KDE Dolphin to version 25.12.3 or later immediately. The fix is confirmed released at https://github.com/KDE/dolphin/releases/tag/v25.12.3 and documented in the KDE security advisory at https://kde.org/info/security/advisory-20260427-2.txt. For distributions packaging older versions, request backported security updates. If immediate upgrade is not feasible, mitigate by restricting the scope of Flatpak applications permitted to run on the system - whitelist only trusted applications from official repositories and disable sideloaded or third-party Flatpak sources, which reduces the likelihood of a malicious sandboxed application being installed. Organizations relying on AppArmor can audit sandbox profiles to ensure Dolphin runs with appropriate confinement; however, this is a defense-in-depth measure and does not replace the patch. Users should avoid running untrusted applications in Flatpak sandboxes until patched, as the sandbox is no longer a reliable security boundary for file access in affected Dolphin versions.

Share

CVE-2026-41525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy