SecureDrop 2.16.0 is now available. This release includes a number of improvements to the API used by the SecureDrop Inbox, and fixes a low-severity security vulnerability. We are not aware of any exploitation in the wild.
This update will be installed automatically via the daily update process. No further action is required.
A full list of changes can be found on GitHub.
API session token can be reused against web UI
An attacker who is able to gain access to both the Journalist Interface hidden service and a recent API session token could reuse that token against the web UI until it naturally expires (8 hours).
Despite the CVSSv3 score of 5.0 (medium), we consider this to be a low-severity vulnerability, because it requires an attacker to first gain access to the secret JI onion address, the authentication token, and a non-expired API session token.
This issue was assigned CVE-2026-50000 and fixed by this commit, which treats the SessionInterface object as immutable.
Thank you to brian-1, who first reported this to us through the SecureDrop bug bounty program; we've awarded him $500 for the discovery. We'd additionally like to thank the other 30-plus reporters who notified us about this issue.
Acknowledgments
This release was made possible thanks to volunteer code contributions from Heath Dutton and C2015.
Thanks to Localization Lab for continued support with our translations. Translations were updated thanks to the work of many volunteers:
- John Smith (Ecron)
- Ricky Tigg
- AO yahoe.001
- Sveinn à Felli
- Claudio Arseni
- Maryam Azad
- Adam Rak
- Anatoli (fr0st)
This release incorporates Freedom of the Press Foundation (FPF) contributions by Martin C; Nathan Dyer, communications manager; Micah Lee; Kunal Mehta; Cory Francis Myers; Vicki Niu; Kevin O’Gorman, release manager; Francisco Rocha; John Skinner; and Rowen S.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via Signal, either in your dedicated SecureDrop support group, or by contacting the support account listed at securedrop.org/help/.
- Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd.
We also encourage you to file nonsensitive issues via our GitHub repository.
Thank you for using SecureDrop!