KDE Project Security Advisory
=============================

Title:          Kleopatra: Local privilege escalation on Windows
Risk Rating:    High
CVE:            CVE-2026-41527
Versions:       kleopatra < 26.08.0
Author:         Ingo Klöcker <kloecker@kde.org>
Date:           8 April 2026

Overview
========

Kleopatra contains a mechanism for ensuring that only one instance is running.
On Windows, this mechanism can be exploited by a local unprivileged attacker
to gain the full privileges of the user who runs Kleopatra.

Impact
======

Kleopatra could be used in a staged attack to gain higher privileges up to
full administrator privileges.

Workaround
==========

Affected versions of Kleopatra should not be used on Windows systems with
untrusted users or running untrusted software.
In general, Kleopatra should never be run as administrator.

Solution
========

Update to kleopatra >= 26.08.0 (when released)

Or apply this patch:
https://commits.kde.org/kleopatra/73471abb92d99c56354adb582bfaec2764c22b79

Credits
=======

Thanks to Vincent Bouzon from Ledger Donjon for reporting this issue.