Description
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.
Published: 2026-05-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kdenlive versions before 26.04.1 allow a maliciously crafted project file to specify proxy settings that the application will use without validating the input. This flaw enables the program to configure its network proxy to point to arbitrary addresses, potentially causing data to be routed through attacker-controlled servers or exposing sensitive information. The weakness is a lack of input validation on proxy parameters supplied from untrusted source files.

Affected Systems

The CNA vendor is KDE's Kdenlive. All releases earlier than 26.04.1 are affected, and any user running these versions on a platform that can open project files is susceptible to this issue.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate overall risk, and no EPSS information is available, so the current likelihood of exploitation is unknown. The vulnerability is not yet listed in the CISA KEV catalog. Because the attacker must provide a crafted project file, the attack vector is typically local or remote file-based. An attacker can exploit this by convincing a user to open a malicious project file, after which the application may route traffic through unauthorized proxy servers, potentially exposing data or enabling further network attacks.

Generated by OpenCVE AI on May 10, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kdenlive to version 26.04.1 or newer, which removes the ability to set proxy parameters from project files.
  • Avoid opening project files from untrusted sources, and if necessary, validate project files against a trusted source before opening them.
  • Configure network security controls to restrict the use of proxy servers or to monitor unexpected proxy usage by applications.

Generated by OpenCVE AI on May 10, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Malicious Project File Enables Arbitrary Proxy Configurations

Sat, 09 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-09T22:31:59.528Z

Reserved: 2026-05-09T22:25:05.151Z

Link: CVE-2026-45184

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T23:16:32.787

Modified: 2026-05-09T23:16:32.787

Link: CVE-2026-45184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T00:30:05Z

Weaknesses