The developers of the popular KDE Connect application for desktop computers and mobile phones issued a security advisory this weekend stating you should stop using certain versions of the app on untrusted networks. A security flaw allows devices running those versions to interact with devices pretending to be ones you authenticated in the past.
The security advisory says if you want to avoid risk, you should stop using KDE Connect and its variants with the following version numbers on public networks with devices you don't know:
| App | First Vulnerable Version | Patched Version |
|---|---|---|
| KDE Connect desktop | 25.04 | 25.12 |
| KDE Connect iPhone | 0.5.2 | 0.5.4 |
| KDE Connect Android | 1.33.0 | 1.34.4 |
| GSConnect | 59 | 68 |
| Valent | 1.0.0.alpha.47 | 1.0.0.alpha.49 |
You'll need to check the version number of the apps you're using. If it's the patched version number or greater, you're safe to keep using KDE Connect, GSConnect, or Valent. If you're using an earlier version at or above the first vulnerable version, then you should take caution until an update arrives.
Going into detail on how the exploit works, the developers wrote this in the security advisory:
The vulnerable implementations of KDE Connect were not checking that the device ID in the first packet and the device ID in the second packet were the same. This could be abused by first sending a device ID of an unpaired device which doesn't require authentication, followed by sending the device ID of a paired device in order to impersonate it.
Essentially, an attacker on the local network, if they know the ID of a device you already paired, could pretend to be that device. They could then presumably take advantage of whatever plugins you've enabled on KDE Connect, be it clipboard syncing, file system browsing, or, even worse, command execution.
Again, this is only a concern if you're using a Wi-Fi or Ethernet-based internet connection shared by others you don't know. If you're at home on a private network, you don't have much to worry about. It's public networks at airports, coffee shops, and the like where you should avoid using vulnerable versions of KDE Connect.
Notably, versions of KDE Connect before the first vulnerable version are not affected by this security flaw. The flaw was introduced with the KDE Connect protocol version 8, which showed up in KDE Connect releases around March 2025. Many Linux distributions, namely LTS versions of Ubuntu and its flavors, hold back package updates for quite some time in the name of stability, so there's a decent chance you may still not have a post-March 2025 release.
If you're not sure how to check the version number, I can tell you I found out my Android app was safe by opening the KDE Connect app, tapping the hamburger menu in the top-left corner, and tapping "About." That showed me the KDE Connect version number at the top of the screen, which to my relief was at 1.34.4.
Opening the main KDE Connect app on my Linux desktop, I clicked the Settings button in the bottom-left corner, clicked "About KDE Connect," and found the version number at the top of the window there.
My Kubuntu 24.04 LTS laptop was actually running a version from before the vulnerability, meaning I don't have to worry about this vulnerability there. On CachyOS, I'm unfortunately between the first vulnerable version and the patched version. I'm not worried about it though, considering it's a desktop PC I'm not lugging out to public hotspots.
Source: KDE Project via GamingOnLinux