Home

Description

A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files.

PUBLISHED Reserved 2026-02-16 | Published 2026-06-16 | Updated 2026-06-17 | Assigner redhat




MEDIUM: 5.6CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Problem types

External Control of File Name or Path

Product status

Default status
unaffected

Any version before 3.59.3
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-02-16:Reported to Red Hat.
2026-02-16:Made public.

Credits

Red Hat would like to thank Codean Labs for reporting this issue.

References

lists.debian.org/debian-lts-announce/2026/03/msg00007.html

gitlab.gnome.org/...E/evolution-data-server/-/work_items/627 exploit

access.redhat.com/security/cve/CVE-2026-2604 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2440301 (RHBZ#2440301) issue-tracking

gitlab.gnome.org/GNOME/evolution-data-server/-/issues/627

cve.org (CVE-2026-2604)

nvd.nist.gov (CVE-2026-2604)

Download JSON