Skip to main content

qSnapper CVE-2026-41049

| EUVDEUVD-2026-38275 HIGH
Incorrect Implementation of Authentication Algorithm (CWE-303)
2026-06-22 suse GHSA-cf66-c678-24r2
8.4
CVSS 4.0 · Vendor: suse
Share

Severity by source

Vendor (suse) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Local D-Bus service requires an existing low-privileged local account (AV:L, PR:L); no user interaction or special conditions beyond a prior admin auth; yields high confidentiality and integrity over snapshots, no availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (suse).

CVSS VectorVendor: suse

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 22, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 22, 2026 - 16:05 vuln.today
Analysis Generated
Jun 22, 2026 - 16:05 vuln.today

DescriptionCVE.org

Incorrect caching of authentication between different users of the  qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.

AnalysisAI

Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke privileged D-Bus methods after an administrator has previously authenticated for an unrelated Polkit action. The flaw stems from authentication state being implicitly carried over across different Polkit actions and users rather than being scoped per-action-per-caller, enabling unauthorized snapshot management on systems where the service is installed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local unprivileged shell on host
Delivery
Wait for admin to authenticate any qSnapper Polkit action
Exploit
Send D-Bus call to privileged qSnapper method
Execution
Service accepts cached authentication across action/user
Impact
Read or modify snapshot data at admin privilege

Vulnerability AssessmentAI

Exploitation Exploitation requires a local unprivileged session on a host running the qSnapper D-Bus system service at a version before 1.3.3, and crucially requires that a privileged (admin) user has previously completed a Polkit authentication for a qSnapper action on the same running service instance - the bug is that this prior authentication is implicitly carried over to other Polkit actions and other D-Bus callers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) and base score of 8.4 accurately reflect a high-impact local privilege escalation: an authenticated low-privileged local user can reach high confidentiality and integrity impact with no user interaction and no exotic attack requirements, but only after some privileged user on the same system has previously authenticated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a shared Linux workstation with qSnapper < 1.3.3 installed, an administrator authenticates once via Polkit to perform a routine snapshot operation. A logged-in unprivileged local user then invokes other qSnapper D-Bus methods from their own session and finds them accepted without re-authentication because the service treats the prior admin authentication as still valid, allowing them to read or manipulate snapshot data outside their privilege level.
Remediation Vendor-released patch: qSnapper 1.3.3 - upgrade to this version, which removes the m_authenticated cache and the explicit Authenticate() D-Bus method and relies on Polkit's native per-action auth_admin_keep semantics, per the release notes at https://github.com/presire/qSnapper/releases/tag/v1.3.3 and the SUSE advisory at https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all systems running qSnapper D-Bus and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important

Share

CVE-2026-41049 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy