Description
The new upstream added a privileged D-Bus
helper called plasmaloginauthhelper, which suffers from multiple issues, e.g.aA compromised plasmalogin service account can chown() arbitrary files in the system.
Published: 2026-05-13
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A newly added privileged D‑Bus helper named plasmaloginauthhelper in the KDE Plasma‑login‑manager can be misused by a compromised plasmalogin service account to call chown on arbitrary files within the system. This flaw effectively allows a process that normally has only limited privileges to alter file ownership, enabling an attacker to modify or replace critical system files, elevate permissions, or otherwise tamper with the operating environment. The vulnerability is a classic instance of vulnerable privilege management and carries an elevated risk to confidentiality, integrity, and availability.

Affected Systems

The affected product is KDE’s Plasma‑login‑manager component. No specific product versions are listed in the available data, so any installation that includes the latest upstream plasmaloginauthhelper code may be vulnerable.

Risk and Exploitability

The CVSS score of 7 indicates a high severity. Although an EPSS score is not provided, the absence of KEV listing suggests no known current exploitation. The attack vector is inferred to be local; an attacker who already has access sufficient to compromise or abuse the plasmalogin service account can trigger the vulnerability. Consequently, systems where the plasmalogin service runs with elevated rights and the helper is enabled represent the highest risk, and the vulnerability can be leveraged to gain system‑wide control if the attacker has access to the implicated account.

Generated by OpenCVE AI on May 13, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update KDE Plasma‑login‑manager to the latest release that includes the upstream fix for plasmaloginauthhelper
  • If an update is not yet available, disable or uninstall the plasmaloginauthhelper service to remove the privileged helper from the system
  • Limit the privileges granted to the plasmalogin service account so it cannot perform chown on system files, ensuring it operates with the minimal permissions required for normal functionality

Generated by OpenCVE AI on May 13, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Kde
Kde plasma-login-manager
Vendors & Products Kde
Kde plasma-login-manager

Wed, 13 May 2026 10:30:00 +0000

Type Values Removed Values Added
Title Privileged D-Bus Helper Allows Service Account to Modify System Files

Wed, 13 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description The new upstream added a privileged D-Bus helper called plasmaloginauthhelper, which suffers from multiple issues, e.g.aA compromised plasmalogin service account can chown() arbitrary files in the system.
Weaknesses CWE-250
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Kde Plasma-login-manager
cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-05-13T10:48:34.575Z

Reserved: 2026-02-05T15:37:24.184Z

Link: CVE-2026-25710

cve-icon Vulnrichment

Updated: 2026-05-13T09:04:49.938Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T13:01:30.807

Modified: 2026-05-13T15:35:35.267

Link: CVE-2026-25710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:34:40Z

Weaknesses