Skip to main content

Xdg Dbus Proxy CVE-2026-34080

| EUVDEUVD-2026-19945 MEDIUM
Improper Validation of Unsafe Equivalence in Input (CWE-1289)
2026-04-07 security-advisories@github.com
6.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.1.7
EUVD ID Assigned
Apr 07, 2026 - 21:22 euvd
EUVD-2026-19945
Analysis Generated
Apr 07, 2026 - 21:22 vuln.today
CVE Published
Apr 07, 2026 - 21:17 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7.

AnalysisAI

Policy parser vulnerability in xdg-dbus-proxy prior to 0.1.7 allows authenticated local users to bypass eavesdrop restrictions and intercept D-Bus messages by exploiting improper whitespace handling in policy rule parsing. The proxy fails to normalize eavesdrop policy directives, permitting attackers to craft malformed policies (e.g., eavesdrop ='true' with spacing variations) that evade the eavesdrop=true access control checks. No public exploit code has been identified at time of analysis.

Technical ContextAI

xdg-dbus-proxy is a D-Bus message filtering proxy commonly used in Flatpak sandboxes to enforce security policies on inter-process communication. The vulnerability exists in the policy parsing logic, which is responsible for evaluating D-Bus access control rules before allowing message relay. The root cause is improper input validation and normalization of policy directives (CWE-1289: Improper Validation of Specified Quantity in Input). The parser checks for the exact string eavesdrop=true but does not account for whitespace variations or case sensitivity edge cases in policy rule evaluation. D-Bus messages intended to be restricted from eavesdropping become accessible when malformed policy rules pass the access control checks due to this parsing flaw.

RemediationAI

Vendor-released patch: xdg-dbus-proxy 0.1.7. Users should upgrade immediately to version 0.1.7 or later, which includes corrected policy parser logic that properly validates and normalizes eavesdrop directives. No workarounds are available for this parser vulnerability; the fix requires code-level remediation in the proxy. The upstream fix addresses whitespace handling and ensures consistent policy evaluation regardless of formatting variations in policy rules. Administrators managing Flatpak or other xdg-dbus-proxy deployments should prioritize this update, particularly in multi-user sandboxing scenarios. Additional details and patch availability are documented at https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-34080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy