CVE-2026-41525 - Vulnerability Details

- Dolphin Flatpak Confinement Bypass via FileManager1 Path Spoofing

Description

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)

Published: 2026-04-28

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Dolphin FileManager1 protocol implementation, which allows an application running inside a Flatpak or AppArmor sandbox to supply a path that points to any file, including scripts or executables, located outside the sandbox. The intended behaviour of Dolphin is to block such actions, but the current implementation incorrectly presents a user‑confirmation prompt, effectively permitting the action. This flaw permits the sandboxed application to read, write, or execute arbitrary files outside its confinement, undermining the isolation guarantees and enabling possible privilege escalation or data exfiltration.

Affected Systems

KDE Dolphin versions earlier than 25.12.3 are affected. This includes all releases of Dolphin distributed by KDE prior to the v25.12.3 update.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires an application able to communicate with Dolphin via the FileManager1 protocol; this is typically a Flatpak or AppArmor confined application. Because the flaw permits arbitrary file system access beyond the sandbox boundaries, it can be used to read sensitive data or execute malicious code. The lack of a confirmed public exploit suggests the risk remains theoretical, but the flaw provides a clear pathway for privilege escalation that should be addressed promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

KDE

Dolphin

unaffected

Version	Status	Constraints
`0`	affected	< 25.12.3

No data.

Vendor Product Confidence Versions

Kde

Dolphin

100%

Version	Status	Scheme	Platform
`[0,25.12.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update KDE Dolphin to version 25.12.3 or later, which includes the FileManager1 path validation fix.
For Flatpak users, revoke or reduce the permissions of sandboxed applications that communicate with Dolphin, or temporarily disable the FileManager1 protocol until a patch is applied.
Ensure Dolphin's AppArmor profile prohibits arbitrary path access and replace it with the updated profile released by KDE once available.

Generated by OpenCVE AI on April 28, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/KDE/dolphin/releases/tag/v25.12.3
https://invent.kde.org/system/dolphin/
https://kde.org/info/security/advisory-20260427-2.txt

History

Tue, 28 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
Title		Dolphin Flatpak Confinement Bypass via FileManager1 Path Spoofing

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kde Kde dolphin
Vendors & Products		Kde Kde dolphin

Tue, 28 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)
Weaknesses		CWE-669
References		https://github.com/KDE/dolphin/releases/tag/v25.12.3 https://invent.kde.org/system/dolphin/ https://kde.org/info/security/advisory-20260427-2.txt
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}`

Subscriptions

Kde Dolphin

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-28T00:00:00.000Z

Updated: 2026-04-28T13:44:54.714Z

Reserved: 2026-04-20T00:00:00.000Z

Link: CVE-2026-41525

Vulnrichment

Updated: 2026-04-28T13:40:11.678Z

NVD

Status : Awaiting Analysis

Published: 2026-04-28T08:16:01.477

Modified: 2026-04-28T20:23:20.703

Link: CVE-2026-41525

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T12:45:31Z

Weaknesses

CWE-669

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object