CVE-2026-34078
Symlink Resolution Flaw in Flatpak Allows Host Code Execution
Publication date: 2026-04-07
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flatpak | flatpak | to 1.16.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Flatpak, a Linux application sandboxing and distribution framework. Before version 1.16.4, Flatpak's portal accepted paths in the sandbox-expose options that could be controlled by the application as symbolic links pointing to arbitrary paths on the host system. When Flatpak runs, it mounts the resolved host path inside the sandbox, effectively giving the application access to all files on the host. This flaw can be exploited as a primitive to gain code execution in the host context.
How can this vulnerability impact me? :
The vulnerability allows an application running inside the Flatpak sandbox to access any file on the host system by exploiting app-controlled symbolic links. This can lead to unauthorized access to sensitive files and potentially allow the attacker to execute code with the privileges of the host environment, compromising the security and integrity of the host system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Flatpak to version 1.16.4 or later, where the issue has been fixed.