CVE-2026-34078
EUVD-2026-1997007.04.2026, 22:16
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| flatpak | flatpak | 𝑥 ≤ 1.16.3 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| flatpak |
| ||||||||||||||
| flatpak-devel |
| ||||||||||||||
| flatpak-remote-flathub |
| ||||||||||||||
| flatpak-zsh-completion |
| ||||||||||||||
| libflatpak0 |
| ||||||||||||||
| system-user-flatpak |
| ||||||||||||||
| typelib-1_0-Flatpak-1_0 |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| flatpak |
| ||||||||||||
| flatpak-devel |
| ||||||||||||
| flatpak-libs |
| ||||||||||||
| flatpak-selinux |
| ||||||||||||
| flatpak-session-helper |
|
Amazon Linux Releases
Amazon Package | |||||
|---|---|---|---|---|---|
| flatpak |
| ||||
| flatpak-builder |
| ||||
| flatpak-debuginfo |
| ||||
| flatpak-debugsource |
| ||||
| flatpak-devel |
| ||||
| flatpak-libs |
| ||||
| flatpak-libs-debuginfo |
| ||||
| flatpak-selinux |
| ||||
| flatpak-session-helper |
| ||||
| flatpak-session-helper-debuginfo |
| ||||
| flatpak-tests |
| ||||
| flatpak-tests-debuginfo |
|
Common Weakness Enumeration
- CWE-61 - UNIX Symbolic Link (Symlink) FollowingThe software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Vulnerability Media Exposure
References