Skip to main content

Xdg Desktop Portal CVE-2026-40354

| EUVDEUVD-2026-21625 LOW
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-04-11 mitre GHSA-v5fw-rcv7-v6f3
2.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.21.1,1.20.4
EUVD ID Assigned
Apr 11, 2026 - 01:00 euvd
EUVD-2026-21625
Analysis Generated
Apr 11, 2026 - 01:00 vuln.today
CVE Published
Apr 11, 2026 - 00:29 nvd
LOW 2.9

DescriptionCVE.org

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

AnalysisAI

Flatpak xdg-desktop-portal versions before 1.20.4 and 1.21.x before 1.21.1 allow any sandboxed Flatpak application to delete arbitrary files on the host system through a symlink race condition in the g_file_trash function. The vulnerability exploits insufficient validation of file paths during trash operations, enabling local privilege escalation from a confined container context to affect host files. CVSS severity is low (2.9) due to high attack complexity and local-only vector, but the impact affects all Flatpak users whose host system contains a vulnerable xdg-desktop-portal installation.

Technical ContextAI

Flatpak xdg-desktop-portal is the system service responsible for portal requests from sandboxed Flatpak applications, acting as a trusted intermediary between confined apps and the host desktop environment. The vulnerability exists in the g_file_trash function, which handles file deletion operations initiated by Flatpak apps. The root cause is a classic time-of-check-time-of-use (TOCTOU) race condition (CWE-61) where the portal does not properly validate symlink targets before executing trash operations. An attacker within a Flatpak sandbox can create a symlink pointing to an arbitrary host file, then trigger a trash operation; if the symlink target is swapped between validation and execution, the portal may delete an unintended file with the privileges of the portal process. The CPE cpe:2.3:a:flatpak:xdg-desktop-portal:*:*:*:*:*:*:*:* indicates the vulnerability affects the xdg-desktop-portal component distributed by the Flatpak project across all versions prior to patching.

RemediationAI

Vendor-released patch: upgrade Flatpak xdg-desktop-portal to version 1.20.4 or later (for the 1.20 series) or version 1.21.1 or later (for the 1.21 series). On most Linux distributions, this is available through the system package manager (e.g., apt update && apt upgrade flatpak on Debian/Ubuntu, or dnf upgrade xdg-desktop-portal on Fedora). Verify the installed version with flatpak --version or by checking the xdg-desktop-portal version in your distribution's package manager. Interim mitigation prior to patching involves restricting which Flatpak applications are permitted to run (via Flatseal or flatpak override commands to disable portal access for untrusted apps), though this is not a complete security fix. Consult the security advisory at https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj and the openwall-oss-security discussion at https://www.openwall.com/lists/oss-security/2026/04/10/14 for distribution-specific guidance.

Share

CVE-2026-40354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy