Skip to main content

KDE Arianna CVE-2026-42095

| EUVDEUVD-2026-25566 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-24 mitre GHSA-7824-f4f9-2x77
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
3.1 LOW
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 17:55 nvd
Patch available
Patch available
Apr 24, 2026 - 16:16 EUVD
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 14:30 euvd
EUVD-2026-25566
Analysis Generated
Apr 24, 2026 - 14:30 vuln.today
CVE Published
Apr 24, 2026 - 00:00 nvd
MEDIUM 4.0

DescriptionCVE.org

bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.

AnalysisAI

KDE Arianna's bookserver before version 26.04.1 allows local attackers to read arbitrary files over socket connections by guessing URLs without authentication, exploiting missing input validation on the bookserver endpoint. The vulnerability requires local access and does not affect confidentiality of other system components; no public exploit code or active exploitation has been identified.

Technical ContextAI

KDE Arianna's bookserver component exposes a socket-based interface for book content retrieval. The vulnerability stems from CWE-306 (Missing Authentication Check), where the socket listener fails to validate or authenticate requested URLs before serving file content. An attacker with local system access can directly connect to the bookserver socket and craft arbitrary file paths without needing valid credentials or authorization tokens, bypassing the authentication mechanism entirely. The socket-based architecture creates a local attack surface distinct from network-facing vulnerabilities.

RemediationAI

Upgrade KDE Arianna to version 26.04.1 or later; this is the primary vendor-released patch addressing the authentication bypass. Users unable to upgrade immediately should restrict local access to systems running Arianna where possible-disable multi-user login on shared machines or isolate Arianna to dedicated user accounts with minimal system privileges. Consider running Arianna in a confined environment (e.g., namespace/container) if it must coexist with untrusted local users. The socket-based bookserver can be disabled entirely if Arianna's offline book features are not required, eliminating the attack surface, though this removes core functionality. Patch availability is confirmed via KDE's official advisory (kde.org/info/security/advisory-20260424-1.txt) and upstream commits on the KDE GitLab instance.

Vendor StatusVendor

SUSE

Severity: Low

Share

CVE-2026-42095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy