CVE-2026-34078 | THREATINT

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.

PUBLISHED Reserved 2026-03-25 | Published 2026-04-07 | Updated 2026-04-11 | Assigner GitHub_M

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-61: UNIX Symbolic Link (Symlink) Following

Product status

< 1.16.4

affected

References

www.openwall.com/lists/oss-security/2026/04/09/8

www.openwall.com/lists/oss-security/2026/04/10/14

github.com/...latpak/security/advisories/GHSA-cc2q-qc34-jprg

cve.org (CVE-2026-34078)

nvd.nist.gov (CVE-2026-34078)

Download JSON