{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/securedrop/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35465"},{"cvss":8.1,"id":"CVE-2025-24888"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["securedrop","gzip","code execution","vulnerability","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSecureDrop Client, a desktop application designed for secure communication between journalists and sources, is vulnerable to code execution (versions 0.17.4 and below). The vulnerability, identified as CVE-2026-35465, stems from improper filename validation during the extraction of gzip archives. A compromised SecureDrop Server can leverage this flaw to overwrite critical files, such as the SQLite database, on the Client\u0026rsquo;s virtual machine (sd-app). While exploiting this vulnerability requires prior compromise of the hardened SecureDrop Server (accessible only via Tor), successful exploitation leads to significant impact on the confidentiality, integrity, and availability of sensitive source submissions. This issue is similar to CVE-2025-24888, but arises through a different code path. Version 0.17.5 addresses this vulnerability with a more robust fix within the replacement SecureDrop Inbox codebase.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the SecureDrop Server, gaining control over its file handling processes.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious gzip archive containing filenames with absolute paths (e.g., \u003ccode\u003e/opt/securedrop/client/db.sqlite\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker uploads this malicious gzip archive to the compromised SecureDrop Server.\u003c/li\u003e\n\u003cli\u003eThe SecureDrop Client retrieves the malicious gzip archive from the SecureDrop Server via Tor.\u003c/li\u003e\n\u003cli\u003eThe SecureDrop Client attempts to extract the contents of the gzip archive using a vulnerable extraction routine.\u003c/li\u003e\n\u003cli\u003eDue to improper filename validation, the extraction process overwrites critical files, such as the SQLite database, on the client\u0026rsquo;s virtual machine (sd-app).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution by manipulating the overwritten files to execute arbitrary code upon the next application startup or during normal operation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to decrypted source submissions and can exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35465 allows a compromised SecureDrop Server to execute arbitrary code on the SecureDrop Client\u0026rsquo;s virtual machine. This leads to a complete breach of confidentiality, integrity, and availability of decrypted source submissions handled by the client. Journalists relying on SecureDrop could have their sources exposed, leading to severe repercussions for both journalists and their sources. The impact is limited to SecureDrop deployments running vulnerable versions (0.17.4 and below).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all SecureDrop Client installations to version 0.17.5 or later to remediate CVE-2026-35465.\u003c/li\u003e\n\u003cli\u003eMonitor SecureDrop Client systems for unusual file writes, especially to critical directories such as \u003ccode\u003e/opt/securedrop/client/\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and harden the SecureDrop Server\u0026rsquo;s security configuration to prevent initial compromise, as exploitation requires prior access to the server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T01:16:18Z","date_published":"2026-04-18T01:16:18Z","id":"/briefs/2026-04-securedrop-gzip-vuln/","summary":"A compromised SecureDrop server can achieve code execution on the SecureDrop client's virtual machine by exploiting improper filename validation during gzip archive extraction, allowing for the overwriting of critical files.","title":"SecureDrop Client Code Execution via Gzip Extraction Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-securedrop-gzip-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Securedrop","version":"https://jsonfeed.org/version/1.1"}