Back to search
CVE-2026-34078
Published: Apr 7, 2026
Modified: Apr 11, 2026
PUBLISHED
Description
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
| Vendor | Product | Versions |
|---|---|---|
flatpak | flatpak | affected < 1.16.4 |
Weaknesses (CWE)
References
https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now