GHSA-x7qh-xcf8-p6cq
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local D-Bus reach gives AV:L; any local user suffices so PR:L; no user interaction; high confidentiality and integrity over snapshots, no availability impact.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Description PRE-NVD
AnalysisAI
Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.
Technical ContextAI
qSnapper is a Qt-based front-end and privileged D-Bus backend service for managing Btrfs snapshots (a Snapper-style utility). Its system bus service exposed methods gated by Polkit checks, but the implementation cached the outcome in a process-wide member variable (m_authenticated) plus a custom Authenticate() D-Bus method, instead of evaluating Polkit per-call and per-caller. This is a textbook CWE-303 (Incorrect Implementation of Authentication Algorithm): the auth decision is computed correctly once, then incorrectly reused across distinct security principals. The upstream fix removes the cache and the Authenticate() method entirely and relies on Polkit's native auth_admin_keep behaviour, which scopes recent authorizations to the specific bus name that requested them.
RemediationAI
Upgrade to qSnapper 1.3.3 or later, which removes the shared m_authenticated cache and the Authenticate() D-Bus method and delegates re-authorization to Polkit's auth_admin_keep behavior (release notes: https://github.com/presire/qSnapper/releases/tag/v1.3.3). On SUSE/openSUSE, install the distribution update tracked in https://bugzilla.suse.com/show_bug.cgi?id=1262218 once it lands. If patching must be deferred, mitigate by stopping and masking the qSnapper system D-Bus service (systemctl mask) so the privileged endpoint is unreachable - accepting the trade-off that snapshot management from the GUI will be unavailable - or by tightening the Polkit policy for com.presire.qsnapper actions to auth_admin (forcing a fresh prompt every call) rather than any cached variant; this will produce noticeable extra auth prompts but blocks the cross-client carry-over.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Vendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38272