KDE Project Security Advisory
=============================

Title:           Dolphin: Improper handling of FileManager1.ShowFolders arguments allows sandbox escape
Risk rating:     Medium
CVE:             CVE-2026-41525
Versions:        Dolphin < 25.12.3
Date:            27 April 2026

Overview
========

A bug in Dolphin's handling of
org.freedesktop.FileManager1.ShowFolders allows escaping Flatpak
sandboxes and AppArmor confinement by launching executables.

If the URL given in ShowFolders is a file, Dolphin incorrectly acts as though
the file should be activated.

If a user has reconfigured Dolphin to run scripts without prompts, this could
result in code execution.

Impact
======

An attacker can craft specially formed input, links, or requests that
cause Dolphin to launch executables outside the current sandbox or
confined environment.

This may allow bypassing Flatpak sandbox restrictions or AppArmor
policies and result in arbitrary code execution with the privileges
of the user.

Workaround
==========

Ensure the setting "When opening an executable file" is set to "Always ask".

Solution
========

Either:
 - Update Dolphin to version 25.12.3 or later.
 - Apply the patch https://invent.kde.org/system/dolphin/-/commit/42f099a5ba10e8948cae8f7e364c94129131326c

Credits
=======

Thanks to Aaron Rainbolt for reporting the issue and Harald Sitter for providing the fix.