CVE-2026-35465
Published: 18 April 2026
Summary
CVE-2026-35465 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Freedom Securedrop-Client. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of filenames as information inputs during gzip archive extraction to block absolute paths and prevent file overwrites like the SQLite database.
Requires timely identification, reporting, and correction of the improper filename validation flaw, as implemented in the patch for version 0.17.5.
Monitors for unauthorized changes to critical files such as the SQLite database that could result from exploited archive extraction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The client-side path traversal vulnerability in gzip archive extraction directly enables arbitrary file overwrite leading to code execution on the SecureDrop Client (T1203 Exploitation for Client Execution).
NVD Description
SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine (sd-app) by…
more
exploiting improper filename validation in gzip archive extraction, which permits absolute paths and enables overwriting critical files like the SQLite database. Exploitation requires prior compromise of the dedicated SecureDrop Server, which itself is hardened and only accessible via Tor hidden services. Despite the high attack complexity, the vulnerability is rated High severity due to its significant impact on confidentiality, integrity, and availability of decrypted source submissions. This issue is similar to CVE-2025-24888 but occurs through a different code path, and a more robust fix has been implemented in the replacement SecureDrop Inbox codebase. The issue has been fixed in version 0.17.5.
Deeper analysisAI
CVE-2026-35465 is a vulnerability in SecureDrop Client, a desktop application for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. It affects versions 0.17.4 and below, stemming from improper filename validation during gzip archive extraction on the client's virtual machine (sd-app). This flaw (CWE-36, CWE-73) allows absolute paths, enabling overwriting of critical files such as the SQLite database.
Exploitation requires prior compromise of the dedicated SecureDrop Server, which is hardened and accessible only via Tor hidden services. An attacker with network access, no privileges, but facing high attack complexity and requiring user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, score 7.5), can then achieve code execution on the client. This compromises confidentiality, integrity, and availability of decrypted source submissions.
The vulnerability is fixed in SecureDrop Client version 0.17.5, with a more robust implementation in the replacement SecureDrop Inbox codebase. The GitHub security advisory (GHSA-2jrc-x8fq-prvc), changelog, and patch commit (e518adaf897e7838467ccf9e1f28152ae6fe3655) detail the remediation, noting similarity to CVE-2025-24888 via a different code path.
Details
- CWE(s)