Skip to main content

Flatpak CVE-2026-34078

| EUVDEUVD-2026-19970 CRITICAL
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-04-07 GitHub_M
Critical
Disputed · 9.3 Vendor: GitHub_M
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.2 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Red Hat
8.2 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 17:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:45 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.16.4
EUVD ID Assigned
Apr 07, 2026 - 22:16 euvd
EUVD-2026-19970
Analysis Generated
Apr 07, 2026 - 22:16 vuln.today
CVE Published
Apr 07, 2026 - 21:27 nvd
CRITICAL 9.3

DescriptionCVE.org

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.

AnalysisAI

Sandbox escape in Flatpak versions prior to 1.16.4 allows applications to access arbitrary host filesystem paths and achieve host-level code execution through symlink manipulation in portal sandbox-expose options. The vulnerability requires no authentication (CVSS:4.0 PR:N) and is exploitable over the network with low complexity. No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack primitive is clearly documented in the vendor advisory.

Technical ContextAI

Flatpak is a Linux application sandboxing framework designed to isolate containerized applications from the host system. The vulnerability (CWE-61: UNIX Symbolic Link Following) exists in the Flatpak portal's handling of sandbox-expose options. The portal service, which mediates controlled access between sandboxed apps and host resources, fails to properly validate or sanitize paths containing symbolic links. When an application provides a symlink path through sandbox-expose options, Flatpak resolves the symlink and mounts the target host path directly into the sandbox filesystem namespace. Because applications can control the creation and destination of symlinks within their sandbox environment, they can craft symlinks pointing to sensitive host directories (such as /etc, /root, or system binaries). The portal then grants the sandboxed app direct access to these resolved paths, completely bypassing the intended security boundary. This affects all deployments using Flatpak versions earlier than 1.16.4 where applications can influence sandbox-expose parameters.

RemediationAI

Immediately upgrade Flatpak to version 1.16.4 or later, which contains the complete fix for symlink resolution vulnerabilities in portal sandbox-expose handling. Linux distribution users should apply patches through their package manager (e.g., 'dnf update flatpak', 'apt update && apt upgrade flatpak') as downstream vendors backport the security fix. System administrators should verify the installed version with 'flatpak --version' and confirm it shows 1.16.4 or higher post-update. No effective workarounds exist that maintain Flatpak functionality while mitigating the vulnerability, as the issue is fundamental to portal path handling logic. Organizations unable to immediately patch should consider temporarily restricting Flatpak application installations to trusted sources only and auditing existing installed applications for suspicious behavior. Consult the official vendor security advisory at https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg for additional context and detection guidance. After patching, review installed Flatpak applications and remove any from untrusted or unknown sources.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-34078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy