Description
KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.
Published: 2026-04-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch
AI Analysis

Impact

KDE Kleopatra before 26.08.0 on Windows contains a flaw in the KUniqueService component that does not correctly enforce the intended single‑instance rule. This error allows a local user to gain the privileges of the Kleopatra user, effectively escalating their privileges within the local environment. The vulnerability is aligned with CWE‑670 and provides attackers with the ability to perform actions as the Kleopatra user, potentially expanding the attack surface for local privileges.

Affected Systems

The affected vendor is KDE, product Kleopatra. All releases prior to version 26.08.0 on Windows are impacted. No Windows‑specific sub‑versions or alternate operating systems were listed in the advisory.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity risk, and the EPSS score is not available, making the precise exploitation probability unclear. The vulnerability is not listed in CISA's KEV catalog. Attackers need local user access on a Windows system; no remote or network‑based attack vector is described. The risk manifests as local privilege escalation, allowing a malicious local user to execute Kleopatra processes with elevated rights.

Generated by OpenCVE AI on April 22, 2026 at 06:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kleopatra to version 26.08.0 or later from the official KDE releases.
  • If an immediate upgrade is not possible, uninstall the current Kleopatra installation and reinstall a fixed version from a trusted source.
  • Reduce local account privileges to limit the impact of a potential privilege escalation within Kleopatra.

Generated by OpenCVE AI on April 22, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Kde
Kde kleopatra
Vendors & Products Kde
Kde kleopatra

Wed, 22 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via KUniqueService in KDE Kleopatra

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Kde Kleopatra
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T15:35:24.571Z

Reserved: 2026-04-20T00:00:00.000Z

Link: CVE-2026-41527

cve-icon Vulnrichment

Updated: 2026-04-22T12:58:50.724Z

cve-icon NVD

Status : Received

Published: 2026-04-21T22:16:20.363

Modified: 2026-04-21T22:16:20.363

Link: CVE-2026-41527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:01Z

Weaknesses