SecureDrop Client RCE: Server Compromise Leads to VM Takeover

The National Vulnerability Database has detailed CVE-2026-35465, a high-severity code execution vulnerability in SecureDrop Client versions 0.17.4 and below. This flaw allows a compromised SecureDrop Server to execute arbitrary code within the Client’s virtual machine (sd-app). The root cause lies in improper filename validation during gzip archive extraction, specifically permitting absolute paths which enables overwriting critical files, such as the SQLite database.

Exploitation requires a prior compromise of the SecureDrop Server, a hardened system typically accessible only via Tor hidden services. While this elevates attack complexity, the impact on confidentiality, integrity, and availability of decrypted source submissions is severe. This vulnerability mirrors CVE-2025-24888 in nature but exploits a distinct code path. A more robust fix has reportedly been implemented in the successor SecureDrop Inbox codebase.

Defenders need to understand the attacker’s calculus here: this isn’t a direct internet-facing RCE. It’s a post-compromise attack vector, allowing an adversary who has already breached a SecureDrop Server to extend their control further into the journalist’s workstation. This escalates a server compromise into a full workstation takeover, enabling deeper espionage or sabotage against sensitive communications. The fix is available in SecureDrop Client version 0.17.5.