This notification is to alert customers about a security issue affecting self-hosted SureDrop deployments, and the steps we recommend you take. We are asking you to act promptly, though there is no indication of exploitation and no immediate cause for alarm.

What happened

Through responsible disclosure, a vulnerability was identified in the SureDrop nextgen REST API (our reference SD-2026-001). Under certain conditions it could allow a file download without a valid user session. A related issue concerning credential generation was identified at the same time. The affected code has been present since December 2023.

We have addressed both issues in the current SureDrop release. All SaaS environments were updated as of 5 June 2026 and are no longer affected. Our review of SaaS logs across the affected period shows no indication of exploitation. Self-hosted deployments are under your control, so we are providing the steps below for you to secure your own environment and check your own logs.

What we recommend you do

We recommend two steps, in this order:

Step 1 — Check your logs first. Before upgrading, review your SureDrop logs for any sign the issue was used against your deployment, following the attached guide (SureDrop Security Advisory SD-2026-001 — How to Check Your Logs). If your upgrade process recreates the deployment, doing this first ensures the relevant logs are still available. If you wish to upgrade before checking, please copy your reverse-proxy access logs aside first so they are preserved.

Step 2 — Upgrade to the fixed release. The fix is included in SureDrop 2.13.1-certified-20260604.064059. Depending on your current version, this may be a significant upgrade with new features and changes beyond this fix, so we recommend treating it as a normal version upgrade: review the release notes at https://blog.suredrop.io/, take a backup or snapshot of your deployment, and where possible test in a non-production environment before applying.

The upgrade is obtained as follows:

1. Download the installer by running the following command in an Admin Powershell window: Invoke-WebRequest “https://s3-ap-southeast-2.amazonaws.com/suredrop-downloads/compose/create-suredrop.bat” -outfile “create-suredrop.bat”;./create-suredrop.bat
2. The installer will run, providing some options.  Select option 1 Upgrade Version
3. Install using your default settings
4. After upgrading, confirm you are on the fixed release by navigating to the login page and confirming the release version on the bottom right hand of the page is 2.13.1-certified-20260408.0554552019 or 2.13.1-certified-20260408.0554552022.

If your log check finds anything

If the checks in the attached guide return any matches, please preserve the affected logs and contact Senetas support@suredrop.com.au with the details, and treat data in any affected folders according to your own incident-response process. You do not need to contact us if your checks are clear. For more guidance, please visit the post on the Thales Support Portal.

Questions

If you have any questions about the upgrade or the log checks, please contact Thales by one of the following methods.

Online at the Thales Support Portal
Thales Phone Support International: +14104691651
Thales Phone Support Local: Please visit the Contact Us page to find your local number

SureDrop Cloud

SureDrop Cloud Customers, please be advised that we have addressed any issues in the current SureDrop release.  All SaaS environments were updated and are no longer affected.  Our review of SaaS logs across the affected period shows no indication of exploitation.