Description
bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.
Published: 2026-04-24
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in KDE Arianna’s bookserver allows an attacker to read arbitrary files by guessing a URL over a socket connection. This provides unauthorized access to potentially sensitive data on the system. The weakness is a Missing Authentication for Sensitive Functionality flaw (CWE‑306), meaning the server does not require proper credentials before allowing file reads.

Affected Systems

KDE Arianna is affected in all releases prior to 26.04.1. The issue exists in the bookserver component and does not apply to versions 26.04.1 and later, which already contain the fix.

Risk and Exploitability

The CVSS score of 4 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, further implying limited exploitation activity. Attackers would need network or local access to the socket used by the bookserver; the likely vector is sending crafted URLs to the socket, bypassing authentication due to the design flaw.

Generated by OpenCVE AI on April 28, 2026 at 14:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade KDE Arianna to version 26.04.1 or newer to eliminate the file‑read flaw.
  • If upgrading is not immediately possible, restrict the bookserver socket to trusted hosts or localhost only using firewall or network access controls.
  • Continuously monitor incoming connections to the bookserver for anomalous URL requests and review logs for signs of unauthorized file access.

Generated by OpenCVE AI on April 28, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Title File Disclosure via URL Guessing in KDE Arianna bookserver

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Kde
Kde arianna
Vendors & Products Kde
Kde arianna

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Title File Disclosure via URL Guessing in KDE Arianna bookserver

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Kde Arianna
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-24T14:41:51.939Z

Reserved: 2026-04-24T00:00:00.000Z

Link: CVE-2026-42095

cve-icon Vulnrichment

Updated: 2026-04-24T14:41:32.781Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T15:16:48.273

Modified: 2026-04-24T17:55:55.317

Link: CVE-2026-42095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses