CVE-2026-34078

EUVD-2026-19970
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
Symlink
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
flatpakflatpak
𝑥
≤ 1.16.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
flatpak
bookworm
1.14.10-1~deb12u2
fixed
bookworm (security)
1.14.10-1~deb12u2
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
forky
1.18.0-1
fixed
sid
1.18.0-1
fixed
trixie
1.16.6-1~deb13u1
fixed
trixie (security)
1.16.6-1~deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
flatpak
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
flatpak
suse enterprise desktop 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise sap 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise server 12 SP5
1.4.2-3.12.2
fixed
suse enterprise server 15 SP4
1.12.8-150400.3.12.1
fixed
suse enterprise server 15 SP5
1.16.0-150500.3.18.1
fixed
suse enterprise server 15 SP6
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP7
1.16.0-150600.3.9.1
fixed
flatpak-devel
suse enterprise desktop 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise sap 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP4
1.12.8-150400.3.12.1
fixed
suse enterprise server 15 SP5
1.16.0-150500.3.18.1
fixed
suse enterprise server 15 SP6
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP7
1.16.0-150600.3.9.1
fixed
flatpak-remote-flathub
suse enterprise desktop 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise sap 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP5
1.16.0-150500.3.18.1
fixed
suse enterprise server 15 SP6
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP7
1.16.0-150600.3.9.1
fixed
flatpak-zsh-completion
suse enterprise desktop 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise sap 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP4
1.12.8-150400.3.12.1
fixed
suse enterprise server 15 SP5
1.16.0-150500.3.18.1
fixed
suse enterprise server 15 SP6
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP7
1.16.0-150600.3.9.1
fixed
libflatpak0
suse enterprise desktop 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise sap 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise server 12 SP5
1.4.2-3.12.2
fixed
suse enterprise server 15 SP4
1.12.8-150400.3.12.1
fixed
suse enterprise server 15 SP5
1.16.0-150500.3.18.1
fixed
suse enterprise server 15 SP6
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP7
1.16.0-150600.3.9.1
fixed
system-user-flatpak
suse enterprise desktop 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise sap 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP4
1.12.8-150400.3.12.1
fixed
suse enterprise server 15 SP5
1.16.0-150500.3.18.1
fixed
suse enterprise server 15 SP6
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP7
1.16.0-150600.3.9.1
fixed
typelib-1_0-Flatpak-1_0
suse enterprise desktop 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise sap 15 SP7
1.16.0-150600.3.9.1
fixed
suse enterprise server 12 SP5
1.4.2-3.12.2
fixed
suse enterprise server 15 SP4
1.12.8-150400.3.12.1
fixed
suse enterprise server 15 SP5
1.16.0-150500.3.18.1
fixed
suse enterprise server 15 SP6
1.16.0-150600.3.9.1
fixed
suse enterprise server 15 SP7
1.16.0-150600.3.9.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
flatpak
RHEL 8
0:1.12.9-4.el8_10
fixed
RHEL 8.4 AUS
0:1.12.9-2.el8_4
fixed
RHEL 8.6 AUS
0:1.12.9-1.el8_6
fixed
RHEL 8.8 E4S
0:1.12.9-1.el8_8
fixed
RHEL 8.8 TUS
0:1.12.9-1.el8_8
fixed
RHEL 9
0:1.12.9-4.el9_8.1
fixed
flatpak-devel
RHEL 8
0:1.12.9-4.el8_10
fixed
RHEL 9
0:1.12.9-4.el9_8.1
fixed
flatpak-libs
RHEL 8
0:1.12.9-4.el8_10
fixed
RHEL 8.4 AUS
0:1.12.9-2.el8_4
fixed
RHEL 8.6 AUS
0:1.12.9-1.el8_6
fixed
RHEL 8.8 E4S
0:1.12.9-1.el8_8
fixed
RHEL 8.8 TUS
0:1.12.9-1.el8_8
fixed
RHEL 9
0:1.12.9-4.el9_8.1
fixed
flatpak-selinux
RHEL 8
0:1.12.9-4.el8_10
fixed
RHEL 8.4 AUS
0:1.12.9-2.el8_4
fixed
RHEL 8.6 AUS
0:1.12.9-1.el8_6
fixed
RHEL 8.8 E4S
0:1.12.9-1.el8_8
fixed
RHEL 8.8 TUS
0:1.12.9-1.el8_8
fixed
RHEL 9
0:1.12.9-4.el9_8.1
fixed
flatpak-session-helper
RHEL 8
0:1.12.9-4.el8_10
fixed
RHEL 8.4 AUS
0:1.12.9-2.el8_4
fixed
RHEL 8.6 AUS
0:1.12.9-1.el8_6
fixed
RHEL 8.8 E4S
0:1.12.9-1.el8_8
fixed
RHEL 8.8 TUS
0:1.12.9-1.el8_8
fixed
RHEL 9
0:1.12.9-4.el9_8.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
flatpak
Amazon Linux 2
0:1.0.9-10.amzn2.0.7
fixed
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-builder
Amazon Linux 2
0:1.0.0-10.amzn2.0.7
fixed
flatpak-debuginfo
Amazon Linux 2
0:1.0.9-10.amzn2.0.7
fixed
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-debugsource
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-devel
Amazon Linux 2
0:1.0.9-10.amzn2.0.7
fixed
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-libs
Amazon Linux 2
0:1.0.9-10.amzn2.0.7
fixed
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-libs-debuginfo
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-selinux
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-session-helper
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-session-helper-debuginfo
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-tests
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed
flatpak-tests-debuginfo
Amazon Linux 2023
0:1.16.6-1.amzn2023
fixed