Improper Filename Validation Vulnerability in SecureDrop Client by Freedom of the Press
CVE-2026-35465

7.5HIGH

Key Information:

Vendor

Freedomofpress

Status
Securedrop-client
Vendor
CVE Published:
18 April 2026

What is CVE-2026-35465?

The SecureDrop Client, designed for journalists to securely interact with sources, has a vulnerability that allows a compromised SecureDrop Server to execute arbitrary code on the client's virtual machine. This is accomplished through a flaw in filename validation during the extraction of gzip archives, permitting the use of absolute paths that can overwrite critical files, including the SQLite database. While exploitation requires an initial compromise of the SecureDrop Server, which operates under strict security measures and is only accessible via Tor hidden services, the potential impact on the confidentiality, integrity, and availability of sensitive submissions is significant. This issue is distinct from similar vulnerabilities and has been addressed in version 0.17.5.

Affected Version(s)

securedrop-client < 0.17.5

References

https://github.com/freedomofpress/securedrop-client/secur...
x_refsource_CONFIRM
https://github.com/freedomofpress/securedrop-client/commi...
x_refsource_MISC
https://github.com/freedomofpress/securedrop-client/blob/...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.