CVE-2026-41527 PUBLISHED

Assigner: mitre
Reserved: 20.04.2026 Published: 21.04.2026 Updated: 21.04.2026

KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS Score: 6.9

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	KDE
Product	Kleopatra
Versions	Default: unaffected affected from 0 to 26.08.0 (excl.)

References

https://github.com/KDE/kleopatra/releases
https://commits.kde.org/kleopatra/73471abb92d99c56354adb582bfaec2764c22b79
https://kde.org/info/security/advisory-20260408-1.txt

Problem Types

CWE-670 Always-Incorrect Control Flow Implementation CWE