[websites/kde-org] content/info/security: Security: Kleopatra: Local privilege escalation on Windows
Albert Astals Cid
null at kde.org
Wed Apr 8 08:15:16 BST 2026
Git commit b9bbb81e843cfee879eed0c81eaefa74ac5febb4 by Albert Astals Cid.
Committed on 08/04/2026 at 07:14.
Pushed by aacid into branch 'master'.
Security: Kleopatra: Local privilege escalation on Windows
CCMAIL: distributions at kde.org
CCMAIL: kde-security-preannounce at kde.org
A +42 -0 content/info/security/advisory-20260408-1.txt
M +1 -0 content/info/security/index.md
https://invent.kde.org/websites/kde-org/-/commit/b9bbb81e843cfee879eed0c81eaefa74ac5febb4
diff --git a/content/info/security/advisory-20260408-1.txt b/content/info/security/advisory-20260408-1.txt
new file mode 100644
index 0000000000..48283989a4
--- /dev/null
+++ b/content/info/security/advisory-20260408-1.txt
@@ -0,0 +1,42 @@
+KDE Project Security Advisory
+=============================
+
+Title: Kleopatra: Local privilege escalation on Windows
+Risk Rating: High
+CVE: PENDING
+Versions: kleopatra < 4.0.0.260800
+Author: Ingo Klöcker <kloecker at kde.org>
+Date: 8 April 2026
+
+Overview
+========
+
+Kleopatra contains a mechanism for ensuring that only one instance is running.
+On Windows, this mechanism can be exploited by a local unprivileged attacker
+to gain the full privileges of the user who runs Kleopatra.
+
+Impact
+======
+
+Kleopatra could be used in a staged attack to gain higher privileges up to
+full administrator privileges.
+
+Workaround
+==========
+
+Affected versions of Kleopatra should not be used on Windows systems with
+untrusted users or running untrusted software.
+In general, Kleopatra should never be run as administrator.
+
+Solution
+========
+
+Update to kleopatra >= 4.0.0.260800 (when released)
+
+Or apply this patch:
+https://commits.kde.org/kleopatra/73471abb92d99c56354adb582bfaec2764c22b79
+
+Credits
+=======
+
+Thanks to Vincent Bouzon from Ledger Donjon for reporting this issue.
diff --git a/content/info/security/index.md b/content/info/security/index.md
index f313332470..a542aba6f7 100644
--- a/content/info/security/index.md
+++ b/content/info/security/index.md
@@ -46,6 +46,7 @@ The KDE Security Advisories are crosslinked in the KDE Information Pages of
the KDE versions to which they apply to. The listing below is in chronological
order.
++ <a href="./advisory-20260408-1.txt">2026-04-08 Kleopatra: Local privilege escalation on Windows</a>
+ <a href="./advisory-20260109-1.txt">2026-01-09 Smb4K: Major security issues in KAuth mount helper</a>
+ <a href="./advisory-20260107-1.txt">2026-01-07 messagelib: man-in-the-middle vulnerability when accessing Google Safe Browsing API</a>
+ <a href="./advisory-20251229-1.txt">2025-12-29 LightDM KDE Greeter: Privilege Escalation in KAuth Helper Service</a>
More information about the Distributions
mailing list