Skip to main content

Red Hat EUVDEUVD-2026-21045

| CVE-2026-39977 HIGH
Path Traversal (CWE-22)
2026-04-09 GitHub_M
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.3 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 16, 2026 - 21:07 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:00 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.4.8
EUVD ID Assigned
Apr 09, 2026 - 19:45 euvd
EUVD-2026-21045
Analysis Generated
Apr 09, 2026 - 19:45 vuln.today
CVE Published
Apr 09, 2026 - 19:05 nvd
HIGH 7.1

DescriptionGitHub Advisory

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using g_file_resolve_relative_path() and validated to stay inside the source directory using two checks - g_file_get_relative_path() which does not resolve symlinks and g_file_query_file_type() with G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS which only applies to the final path component. The copy operation runs on host. This can be exploited by using a crafted manifest and/or source to read arbitrary files from the host and capture them into the build output. This vulnerability is fixed in 1.4.8.

AnalysisAI

Path traversal in flatpak-builder 1.4.5 through 1.4.7 enables arbitrary host file exfiltration through license-files manifest exploitation. Attacker-crafted manifest with symlink manipulation bypasses g_file_get_relative_path() and g_file_query_file_type() validation, allowing reads outside source directory. Successful exploitation requires user interaction (processing malicious manifest) but grants unauthenticated remote attackers high confidentiality impact with no authentication required. Publicly available exploit code exists. CVSS 7.1 reflects network vector with user participation prerequisite.

Technical ContextAI

Root cause: incomplete symlink validation in license-files path resolution. g_file_resolve_relative_path() resolves symlinks before g_file_get_relative_path() boundary check executes, while G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS only protects final component. Attacker chains intermediate symlinks to escape source directory containment during host-side copy operations, exploiting CWE-22 improper limitation of pathname.

RemediationAI

Vendor-released patch: upgrade to flatpak-builder version 1.4.8 immediately. This release implements corrected symlink validation logic preventing path traversal during license file resolution. No workarounds exist that preserve full functionality; organizations unable to upgrade should disable processing of untrusted flatpak-builder manifests and restrict manifest sources to verified internal repositories only. Validate all license-files entries before build execution in high-security environments. Full technical details and remediation guidance: https://github.com/flatpak/flatpak-builder/security/advisories/GHSA-6gm9-3g7m-3965

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

EUVD-2026-21045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy