SecureDrop Client 0.17.5 released

April 13, 2026

We are pleased to announce that SecureDrop Client 0.17.5 is now available.

This update addresses a low-priority security issue; we are not aware of any exploitation in the wild. It will be applied automatically during preflight updates; no further action is required by administrators or journalists. If you have any questions, please contact SecureDrop support via Signal or encrypted email.

Path injection in SecureDrop Client

This update addresses a path injection vulnerability discovered in SecureDrop Client. A compromised SecureDrop server could send a specially crafted file to a journalist using the SecureDrop Client to gain code execution in the trusted sd-app VM. This issue was fixed with this commit.

This vulnerability was assigned CVE-2026-35465. It has a CVSSv3 score of 7.5, but because it requires a compromised server, it is a low-priority issue in practice.

Thank you to cookiejack15 for reporting this through the SecureDrop bug bounty program; we’ve awarded them $2,500 for the discovery.

Note that a recent external security audit we commissioned did not include the SecureDrop Client, as it is being phased out over the next month. To prevent further issues of this kind, the new SecureDrop Inbox has a centralized path verification and sanitization layer, and we’re looking into further enhancing it with taint analysis and other tooling.

Acknowledgments

This release incorporates Freedom of the Press Foundation (FPF) contributions by Martin C; Nathan Dyer, communications manager; Micah Lee; Kunal Mehta, release manager; Cory Francis Myers; Vicki Niu; Kevin O’Gorman; Francisco Rocha, deputy release manager; John Skinner; and Rowen S.

Questions and comments

If you have questions or comments regarding this release, please contact us:

Via Signal, either in your dedicated SecureDrop Support group, or by contacting the support account listed at securedrop.org/help/.
Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd.

We also encourage you to file nonsensitive issues via our GitHub repository. Thank you for using SecureDrop!

Security research

Researchers may submit security vulnerabilities either through our bug bounty program or via encrypted email to securedrop@freedom.press (public key, fingerprint: 734F 6E70 7434 ECA6 C007 E1AE 82BD 6C96 16DA BB79).

Have a document to share?

You are not anonymous while using this browser!

Your Tor security settings are too low!

Set your Tor security level to "Safest" for maximum protection