KDE Project Security Advisory: KDE Connect: Impersonation of paired devices, bypassing authentication
Albert Astals Cid
aacid at kde.org
Wed Jan 7 00:27:12 GMT 2026
KDE Project Security Advisory
=============================
Title: messagelib: man-in-the-middle vulnerability when accessing Google Safe Browsing API
Risk rating: LOW
CVE: CVE-2025-69412
Versions: messagelib < 6.6.0 (KDE Gear 25.12.0)
Date: 7 January 2026
Overview
========
messagelib was ignoring ssl errors when contacting the Google Safe Browsing API.
Contacting the Google Safe Browsing API is disabled by default.
Impact
======
An attacker could intercept and manipulate traffic between the applications using messagelib
(KMail, Akregator, etc) and the Google Safe Browsing service, potentially compromising the
integrity of the safety checks performed on URLs.
Solution
========
Update to messagelib 6.6.0 (KDE Gear 25.12.0) or later.
Apply https://invent.kde.org/pim/messagelib/-/commit/df525dc91498423f3c45e143efab1c7102776652
for older messagelib versions.
Credits
=======
Thanks to Valeriy Manzhos for reporting this issue.
https://kde.org/info/security/advisory-20260107-1.txt
More information about the kde-announce
mailing list