Attack Chain

1. Attacker compromises the SecureDrop Server, gaining control over its file handling processes.
2. Attacker crafts a malicious gzip archive containing filenames with absolute paths (e.g., /opt/securedrop/client/db.sqlite).
3. Attacker uploads this malicious gzip archive to the compromised SecureDrop Server.
4. The SecureDrop Client retrieves the malicious gzip archive from the SecureDrop Server via Tor.
5. The SecureDrop Client attempts to extract the contents of the gzip archive using a vulnerable extraction routine.
6. Due to improper filename validation, the extraction process overwrites critical files, such as the SQLite database, on the client’s virtual machine (sd-app).
7. The attacker achieves code execution by manipulating the overwritten files to execute arbitrary code upon the next application startup or during normal operation.
8. The attacker gains unauthorized access to decrypted source submissions and can exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-35465 allows a compromised SecureDrop Server to execute arbitrary code on the SecureDrop Client’s virtual machine. This leads to a complete breach of confidentiality, integrity, and availability of decrypted source submissions handled by the client. Journalists relying on SecureDrop could have their sources exposed, leading to severe repercussions for both journalists and their sources. The impact is limited to SecureDrop deployments running vulnerable versions (0.17.4 and below).

Recommendation

• Upgrade all SecureDrop Client installations to version 0.17.5 or later to remediate CVE-2026-35465.
• Monitor SecureDrop Client systems for unusual file writes, especially to critical directories such as /opt/securedrop/client/ using the provided Sigma rule.
• Review and harden the SecureDrop Server’s security configuration to prevent initial compromise, as exploitation requires prior access to the server.