The OpenSSL TLS backend in Qt Network (qtbase) contains an uncontrolled search path element that permits a local attacker to load a crafted CA certificate from the application's working directory as a trusted system authority. By creating a certificate file in a directory that Qt scans during TLS initialization, the attacker can elevate the certificate to an accepted root CA, enabling subsequent TLS session interception or decryption for Qt applications that rely on that backend. This flaw is a classic example of CWE‑427 and allows local privilege escalation in the context of the running application.

The Qt Company products include the Qt Framework, specifically the Qt Network component that uses an OpenSSL TLS backend on Unix‑like operating systems. No specific version information is provided, so any installation that incorporates the default qtbase OpenSSL TLS backend may be vulnerable.

The CVSS score of 1.8 reflects the low magnitude of impact when the flaw is only exploitable locally. Because the attacker must place a certificate file in the application's working copy, exploitation requires local access or control over the application environment. With no EPSS score reported and absence from CISA KEV, this vulnerability is not currently known to be actively exploited in the wild. Nonetheless, the flaw provides a foothold for persistent man‑in‑the‑middle attacks against Qt applications that trust the OpenSSL backend.