CVE-2026-35465: CWE-73: External Control of File Name or Path in freedomofpress securedrop-client
CVE-2026-35465 is a high severity vulnerability in freedomofpress securedrop-client versions 0. 17. 4 and below. It involves improper filename validation during gzip archive extraction, allowing a compromised SecureDrop Server to use absolute paths to overwrite critical files on the client, including the SQLite database. Exploitation requires prior compromise of the SecureDrop Server, which is hardened and accessible only via Tor hidden services. The vulnerability can lead to code execution on the client's virtual machine, impacting confidentiality, integrity, and availability of decrypted source submissions. This issue has been fixed in version 0. 17. 5 with a more robust solution in the replacement SecureDrop Inbox codebase.
AI Analysis
Technical Summary
The vulnerability CVE-2026-35465 affects the SecureDrop Client desktop application used by journalists to securely communicate with sources. In versions 0.17.4 and earlier, the client improperly validates filenames when extracting gzip archives, permitting absolute path traversal. This flaw allows a compromised SecureDrop Server to overwrite critical client files, such as the SQLite database, potentially leading to code execution within the client's virtual machine (sd-app). Exploitation requires the attacker to have already compromised the SecureDrop Server, which is designed to be hardened and accessible only via Tor hidden services. The vulnerability is similar to CVE-2025-24888 but occurs through a different code path. The issue was addressed in version 0.17.5 with a more robust fix implemented in the new SecureDrop Inbox codebase.
Potential Impact
Successful exploitation can result in code execution on the SecureDrop Client's virtual machine, allowing an attacker to compromise the confidentiality, integrity, and availability of decrypted source submissions. Given the requirement of prior server compromise and the hardened nature of the SecureDrop Server, the attack complexity is high. However, the impact on the client environment is significant if exploited.
Mitigation Recommendations
This vulnerability has been fixed in SecureDrop Client version 0.17.5. Users should upgrade to version 0.17.5 or later to remediate this issue. Since this is a client-side application and not a cloud service, applying the official fix is necessary to mitigate the risk. No additional mitigation steps are indicated beyond upgrading to the patched version.
CVE-2026-35465: CWE-73: External Control of File Name or Path in freedomofpress securedrop-client
Description
CVE-2026-35465 is a high severity vulnerability in freedomofpress securedrop-client versions 0. 17. 4 and below. It involves improper filename validation during gzip archive extraction, allowing a compromised SecureDrop Server to use absolute paths to overwrite critical files on the client, including the SQLite database. Exploitation requires prior compromise of the SecureDrop Server, which is hardened and accessible only via Tor hidden services. The vulnerability can lead to code execution on the client's virtual machine, impacting confidentiality, integrity, and availability of decrypted source submissions. This issue has been fixed in version 0. 17. 5 with a more robust solution in the replacement SecureDrop Inbox codebase.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-35465 affects the SecureDrop Client desktop application used by journalists to securely communicate with sources. In versions 0.17.4 and earlier, the client improperly validates filenames when extracting gzip archives, permitting absolute path traversal. This flaw allows a compromised SecureDrop Server to overwrite critical client files, such as the SQLite database, potentially leading to code execution within the client's virtual machine (sd-app). Exploitation requires the attacker to have already compromised the SecureDrop Server, which is designed to be hardened and accessible only via Tor hidden services. The vulnerability is similar to CVE-2025-24888 but occurs through a different code path. The issue was addressed in version 0.17.5 with a more robust fix implemented in the new SecureDrop Inbox codebase.
Potential Impact
Successful exploitation can result in code execution on the SecureDrop Client's virtual machine, allowing an attacker to compromise the confidentiality, integrity, and availability of decrypted source submissions. Given the requirement of prior server compromise and the hardened nature of the SecureDrop Server, the attack complexity is high. However, the impact on the client environment is significant if exploited.
Mitigation Recommendations
This vulnerability has been fixed in SecureDrop Client version 0.17.5. Users should upgrade to version 0.17.5 or later to remediate this issue. Since this is a client-side application and not a cloud service, applying the official fix is necessary to mitigate the risk. No additional mitigation steps are indicated beyond upgrading to the patched version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T19:25:52.193Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2d977bdfbbecc59bbf816
Added to database: 4/18/2026, 1:08:07 AM
Last enriched: 4/18/2026, 1:23:20 AM
Last updated: 4/18/2026, 2:15:05 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.