Patreon Logo Support us on Patreon to keep GamingOnLinux alive. This ensures all of our main content remains free for everyone. Just good, fresh content! Alternatively, you can donate through PayPal Logo PayPal. You can also buy games using our partner links for GOG and Humble Store.
We use affiliate links to earn us some pennies. Learn more.

KDE Connect security advisory released due to possible authentication bypass

By -
4 comments

Last updated: 1 Dec 2025 at 11:31 am UTC

KDE Connect is a popular cross-platform app that allows you to send files across devices and more - with a security advisory being sent out due to a woops. Noted as CVE-2025-66270, that woops could allow an attacker to entirely skip proper authentication.

An overview of the issue:

Versions of KDE Connect released after March 2025 implement version 8 of the KDE Connect protocol. In this version, the discovery of other devices with KDE Connect on your network involves an additional packet exchange between the two devices. While the first packet is used to determine if a device is paired or not, this additional packet is used to identify the device that is connecting.

The vulnerable implementations of KDE Connect were not checking that the device ID in the first packet and the device ID in the second packet were the same. This could be abused by first sending a device ID of an unpaired device which doesn't require authentication, followed by sending the device ID of a paired device in order to impersonate it.

The vulnerable versions they list are:

  • KDE Connect desktop >= 25.04 and < 25.12
  • KDE Connect iOS >= v0.5.2 and < 0.5.4
  • KDE Connect Android >= v1.33.0 and < 1.34.4
  • GSConnect >= 59 and < 68
  • Valent >= v1.0.0.alpha.47 and < v1.0.0.alpha.49

The KDE developers are suggesting you stop using KDE Connect until your Linux distribution releases an update for it, or to manually patch it yourself if you're able to.

See more in the security advisory.

Article taken from GamingOnLinux.com.
Tags: Security, Apps, KDE, Misc
9 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
Some you may have missed, popular articles from the last month:
Cleared Hot is everything you could want in a modern twin-stick helicopter shooter
Steam Deck tweaked to fix delays with the screen-off downloads, and other Desktop Linux fixes recently
The huge fan-made TimeSplitters Rewind is out now in Early Access
The excellent Yet Another Zombie Survivors is finally Steam Deck Verified
All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.
4 comments Subscribe

Eike 5 hours ago
  • Supporter Plus
What a nice piece of software, this! emoji
emphy 5 hours ago
A bit fuzzy on why the communications seem to not be secured in a manner that prevents this from becoming a problem.

I.e.: I would have expected encrypted channels to make the question of authentication moot. If they aren't, I would strongly suggest not using kde connect on public/unknown networks regardless of the bug mentioned in the article.


Last edited by emphy on 1 Dec 2025 at 2:01 pm UTC
mr-victory 4 hours ago
What is "ID", an internal UUID or the name I pick on the UI?
Kithop 1 hour ago
Looks like the Google Play version's already updated for me, and there is an option for allowlisting specific Wifi networks rather than the default 'any'.

However, it looks like Arch hasn't caught up just yet ( https://archlinux.org/packages/extra/x86_64/kdeconnect/ )

EDIT: While grabbing the PKGBUILD to see about manually building the update for now, it looks like they're backporting the patch in the already-available 25.08.3-2.

From the article-linked advisory:
https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e
->
https://invent.kde.org/network/kdeconnect-kde/-/commit/1d757349.patch

And then in Arch specifically:
https://gitlab.archlinux.org/archlinux/packaging/packages/kdeconnect/-/commit/08ea078c37bccf36079b7b76e876104618c5e586


Last edited by Kithop on 1 Dec 2025 at 6:53 pm UTC
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon Logo Patreon. Plain Donations: PayPal Logo PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register
Register Forgot Login?
★ Support Us
Popular this week
Search or view by category
Contact
Latest Guides
MorrowindHow to setup OpenMW for modern Morrowind on Linux / SteamOS and Steam Deck
By Liam Dawe,
9
Hollow Knight: SilksongHow to install Hollow Knight: Silksong mods on Linux, SteamOS and Steam Deck
By Liam Dawe,
1
> View more Tips & Guides
Buy Games
Buy games with our affiliate / partner links:
Misc