CVE-2026-35465
Received Received - Intake
Path Traversal in SecureDrop Client Enables High-Severity Code Execution

Publication date: 2026-04-18

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine (sd-app) by exploiting improper filename validation in gzip archive extraction, which permits absolute paths and enables overwriting critical files like the SQLite database. Exploitation requires prior compromise of the dedicated SecureDrop Server, which itself is hardened and only accessible via Tor hidden services. Despite the high attack complexity, the vulnerability is rated High severity due to its significant impact on confidentiality, integrity, and availability of decrypted source submissions. This issue is similar to CVE-2025-24888 but occurs through a different code path, and a more robust fix has been implemented in the replacement SecureDrop Inbox codebase. The issue has been fixed in version 0.17.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35465
EUVD
EUVD-2026-23626
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freedom securedrop-client to 0.17.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SecureDrop Client versions 0.17.4 and below. It allows a compromised SecureDrop Server to execute code on the Client's virtual machine by exploiting improper filename validation during gzip archive extraction. Specifically, the vulnerability permits absolute paths in filenames, which can overwrite critical files such as the SQLite database.

Exploitation requires that the SecureDrop Server is already compromised, which is difficult because the server is hardened and only accessible via Tor hidden services. Despite the high complexity to exploit, the vulnerability is rated as High severity due to its potential impact.

The issue was fixed in SecureDrop Client version 0.17.5 with a more robust fix implemented in the replacement SecureDrop Inbox codebase.

Impact Analysis

This vulnerability can significantly impact the confidentiality, integrity, and availability of decrypted source submissions handled by the SecureDrop Client.

  • Confidentiality: An attacker could access sensitive information submitted by sources.
  • Integrity: Critical files like the SQLite database can be overwritten, potentially altering or destroying data.
  • Availability: The ability to execute code on the client’s virtual machine could disrupt the normal operation of the SecureDrop Client.

However, exploitation requires prior compromise of the SecureDrop Server, which is designed to be highly secure.

Mitigation Strategies

To mitigate this vulnerability, upgrade the SecureDrop Client to version 0.17.5 or later, where the issue has been fixed.

Since exploitation requires prior compromise of the SecureDrop Server, ensure the server remains secure and hardened, and limit access to it via Tor hidden services as designed.

Compliance Impact

This vulnerability impacts the confidentiality, integrity, and availability of decrypted source submissions handled by the SecureDrop Client. Since these submissions may contain sensitive information, the vulnerability could potentially lead to unauthorized access or modification of such data.

However, exploitation requires prior compromise of the SecureDrop Server, which is hardened and only accessible via Tor hidden services, making the attack complex.

While the CVE description highlights significant impact on data security, it does not explicitly mention effects on compliance with standards like GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35465. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart