We have released SecureDrop 2.16.1 to address an issue in which Onion Service client authentication credentials may have been inadvertently copied to the Monitor Server.
This release fixes the underlying issue and deletes the credentials from the server. But if your server was affected, manual administrator action is recommended to rotate the affected credentials.
As detailed below, we consider this to be a low-priority issue because the Monitor Server is already a privileged environment. SecureDrop uses Onion Service authentication as an extra layer of hardening; it is never the sole authentication layer protecting a resource.
Administrator instructions
This issue only affects SecureDrop instances that have journalist alerts disabled and have run the securedrop-admin install command since December 2025. If your instance is affected, you will receive an OSSEC email alert with the subject line OSSEC Notification - mon - Alert level 12 within 24-48 hours.
Alternatively, instead of waiting, from your Admin Workstation you can run the command: ssh mon sudo ls /var/ossec /etc. If either tor_v3_keys.json or securedrop-removed-config-files are present, then your instance was affected.
Affected instances should rotate their Onion Service client auth credentials; please see the documentation for instructions. If you have any questions or need assistance, please reach out to SecureDrop Support.
Technical details
When running the securedrop-admin install Ansible playbook, if journalist alerts are disabled, a logic bug would copy all the files in the ~/.config/securedrop-admin/ folder, including the Onion Service client auth credentials, over to the Monitor Server.
The Onion Service client auth credentials are used to protect the Journalist Interface, and if enabled, SSH to the Application and Monitor Servers. In all cases, this serves as an additional layer of protection, as an attacker would still need to compromise a user’s username, passphrase, and multifactor authentication for access to the Journalist Interface, and SSH keys for SSH access.
Nonetheless, we are recommending SecureDrop administrators rotate affected credentials as a matter of precaution.
This issue is still pending CVE assignment and fixed by this commit. It has a CVSSv3 score of 2.6.
Thank you to suzuya1331, who first reported this to us through the SecureDrop bug bounty program; we've awarded them $500 for the discovery.
Acknowledgments
This release incorporates Freedom of the Press Foundation (FPF) contributions by Martin C; Nathan Dyer, communications manager; Micah Lee; Kunal Mehta; Cory Francis Myers; Vicki Niu; Kevin O’Gorman, release manager; Francisco Rocha; John Skinner; and Rowen S.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via Signal, either in your dedicated SecureDrop support group, or by contacting the support account listed at securedrop.org/help/.
- Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd.
We also encourage you to file nonsensitive issues via our GitHub repository.
Thank you for using SecureDrop!