Skip to main content

evolution-data-server CVE-2026-2604

| EUVDEUVD-2026-37506 MEDIUM
External Control of File Name or Path (CWE-73)
2026-06-16 redhat
5.6
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
5.6 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
vuln.today AI
5.6 MEDIUM

Local vector and low privileges reflect Flatpak D-Bus caller requirement; UI:R captures mandatory user-triggered deletion; C:N because only deletion, not disclosure, is possible.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.6 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:32 vuln.today

DescriptionCVE.org

A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files.

AnalysisAI

Arbitrary file deletion in evolution-data-server's addressbook file backend exposes host filesystem to manipulation by a Flatpak application with D-Bus access. The vulnerability exploits split validation logic: a crafted URI embedding directory traversal sequences (e.g., '../') is accepted without sufficient sanitization during contact creation or modification, but when the same URI is later processed at deletion time, a second, less restrictive check fails to catch the traversal - allowing files outside the intended addressbook directory to be removed. Critically, deletion of Flatpak override files could be leveraged to silently weaken sandbox restrictions for subsequent application runs. No public exploit has been identified at time of analysis.

Technical ContextAI

evolution-data-server (EDS) is the GNOME backend data service providing addressbook, calendar, and task storage via D-Bus IPC. Its addressbook file backend stores contact records indexed by URIs pointing to on-disk vCard files. CWE-73 (External Control of File Name or Path) describes the root cause: the application allows user-controlled input - here a D-Bus-supplied URI - to influence file path resolution without consistent normalization across all code paths. Because Flatpak applications are sandboxed but may be granted explicit D-Bus access to host services including EDS, a malicious or compromised Flatpak app can interact with the EDS D-Bus interface as a low-privilege local caller. The inconsistency between the creation-time check and the deletion-time check is the exploitable gap: the stricter check at write time creates a false sense of security, while the lax check at delete time becomes the exploitable path. Affected products per CPE data span Red Hat Enterprise Linux 6 through 10.

RemediationAI

Apply the updated evolution-data-server package as released via Red Hat's security errata for the affected RHEL versions; consult https://access.redhat.com/security/cve/CVE-2026-2604 and Bugzilla #2440301 (https://bugzilla.redhat.com/show_bug.cgi?id=2440301) for specific package versions and errata identifiers. No exact fixed version number is independently confirmed from the available data - verify the fix version directly from Red Hat's advisory before deploying. As a compensating control pending patch availability, administrators can revoke or restrict D-Bus access for untrusted Flatpak applications by auditing and tightening Flatpak D-Bus policy overrides; note this may break legitimate EDS-integrated functionality in affected apps. Additionally, protecting critical Flatpak override directories (e.g., ~/.local/share/flatpak/overrides/) with filesystem ACLs or inotify-based monitoring can provide early warning of unauthorized deletions, though it does not prevent them. Patch is the only definitive fix.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-2604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy