Skip to main content

Qsnapper

5 CVEs product

Monthly

CVE-2026-41049 HIGH PATCH This Week

Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke privileged D-Bus methods after an administrator has previously authenticated for an unrelated Polkit action. The flaw stems from authentication state being implicitly carried over across different Polkit actions and users rather than being scoped per-action-per-caller, enabling unauthorized snapshot management on systems where the service is installed. No public exploit identified at time of analysis, though SUSE published a coordinated disclosure advisory alongside the upstream fix.

Information Disclosure Qsnapper
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-41047 MEDIUM PATCH This Month

Unauthenticated local access to qSnapper's D-Bus snapshot diff interface before version 1.3.3 exposes read-protected file contents to any local user on the host. The 'snapshot diff' D-Bus methods - GetFileChanges, GetFileChangesBetween, GetFileDiffBetween, and GetFileDiffAndDetails - lacked any Polkit authorization check, meaning a local unprivileged caller could invoke them directly and receive sensitive file diff data. This is one of five authentication/authorization flaws (CVE-2026-41045 through CVE-2026-41049) discovered and reported by the SUSE security team under coordinated disclosure; no public exploit is identified at time of analysis.

Authentication Bypass Qsnapper
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-41046 HIGH PATCH This Week

Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.

Path Traversal Denial Of Service Qsnapper Suse
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-41045 HIGH PATCH This Week

Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.

Apache SSRF Kubernetes Qsnapper Suse
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-41048 HIGH PATCH This Week

Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.

Apache SSRF Kubernetes Qsnapper
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke privileged D-Bus methods after an administrator has previously authenticated for an unrelated Polkit action. The flaw stems from authentication state being implicitly carried over across different Polkit actions and users rather than being scoped per-action-per-caller, enabling unauthorized snapshot management on systems where the service is installed. No public exploit identified at time of analysis, though SUSE published a coordinated disclosure advisory alongside the upstream fix.

Information Disclosure Qsnapper
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated local access to qSnapper's D-Bus snapshot diff interface before version 1.3.3 exposes read-protected file contents to any local user on the host. The 'snapshot diff' D-Bus methods - GetFileChanges, GetFileChangesBetween, GetFileDiffBetween, and GetFileDiffAndDetails - lacked any Polkit authorization check, meaning a local unprivileged caller could invoke them directly and receive sensitive file diff data. This is one of five authentication/authorization flaws (CVE-2026-41045 through CVE-2026-41049) discovered and reported by the SUSE security team under coordinated disclosure; no public exploit is identified at time of analysis.

Authentication Bypass Qsnapper
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.

Path Traversal Denial Of Service Qsnapper +1
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.

Apache SSRF Kubernetes +2
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.

Apache SSRF Kubernetes +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy