Actually, there are two such bugs. One was identified as CVE-2023-24068 and the other as CVE-2023-24069. They could potentially allow an attacker to retrieve and modify sensitive attachments sent in messages.

what is known

Signal Desktop stores attachments unencrypted in the ~\attachments.noindex directory. If the user removes them from the chat, they are automatically removed from this directory. However, if the addressee’s reply (with quote) is sent to the attached message, the attachment remains explicitly stored in the local folder even after it is deleted in the messenger interface.

An attacker who can access these files doesn’t even need to decrypt the files, and there’s no regular cache cleanup, so any undeleted files stay in that folder unencrypted.
– famous researcher John Jackson.

Worse, an attacker could modify the cached file. Since each Signal Desktop client has its own local cache, it will not be automatically changed by business partners.. However, if the topic of potential hacking redirects the current branch to other chats after the replacement, it will contain the modified files and not the original files. Based on this, the researchers conclude that Signal Desktop does not check for changes in previously cached files.

Can this error be called very serious? More no than yes. Its work requires the coincidence of several factors and many additional actions. The target of the attack must be using the Signal Desktop, not just the smartphone app. In order for the hacker to view the files on the victim’s computer, they must break into the victim’s computer. And for this you need to use other methods that may not work. But this, of course, does not exclude a random coincidence.

The Signal developers have not yet commented on the situation, but they will most likely fix the bug in the near future.