Skip to main content

qSnapper EUVDEUVD-2026-38272

| CVE-2026-41048 HIGH
Incorrect Implementation of Authentication Algorithm (CWE-303)
8.4
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Local D-Bus reach gives AV:L; any local user suffices so PR:L; no user interaction; high confidentiality and integrity over snapshots, no availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
Jun 22, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 22, 2026 - 16:53 vuln.today
Analysis Generated
Jun 22, 2026 - 16:53 vuln.today
CVSS changed
Jun 22, 2026 - 16:52 NVD
8.4 (HIGH)
CVE Published
May 27, 2026 - 20:45 oss-security
HIGH 8.4
CVE Published
May 27, 2026 - 20:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.

Technical ContextAI

qSnapper is a Qt-based front-end and privileged D-Bus backend service for managing Btrfs snapshots (a Snapper-style utility). Its system bus service exposed methods gated by Polkit checks, but the implementation cached the outcome in a process-wide member variable (m_authenticated) plus a custom Authenticate() D-Bus method, instead of evaluating Polkit per-call and per-caller. This is a textbook CWE-303 (Incorrect Implementation of Authentication Algorithm): the auth decision is computed correctly once, then incorrectly reused across distinct security principals. The upstream fix removes the cache and the Authenticate() method entirely and relies on Polkit's native auth_admin_keep behaviour, which scopes recent authorizations to the specific bus name that requested them.

RemediationAI

Upgrade to qSnapper 1.3.3 or later, which removes the shared m_authenticated cache and the Authenticate() D-Bus method and delegates re-authorization to Polkit's auth_admin_keep behavior (release notes: https://github.com/presire/qSnapper/releases/tag/v1.3.3). On SUSE/openSUSE, install the distribution update tracked in https://bugzilla.suse.com/show_bug.cgi?id=1262218 once it lands. If patching must be deferred, mitigate by stopping and masking the qSnapper system D-Bus service (systemctl mask) so the privileged endpoint is unreachable - accepting the trade-off that snapshot management from the GUI will be unavailable - or by tightening the Polkit policy for com.presire.qsnapper actions to auth_admin (forcing a fresh prompt every call) rather than any cached variant; this will produce noticeable extra auth prompts but blocks the cross-client carry-over.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: Important

Share

EUVD-2026-38272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy