CVE-2026-39977
Received Received - Intake
Path Traversal in flatpak-builder License-Files Allows Host File Disclosure

Publication date: 2026-04-09

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using g_file_resolve_relative_path() and validated to stay inside the source directory using two checks - g_file_get_relative_path() which does not resolve symlinks and g_file_query_file_type() with G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS which only applies to the final path component. The copy operation runs on host. This can be exploited by using a crafted manifest and/or source to read arbitrary files from the host and capture them into the build output. This vulnerability is fixed in 1.4.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39977
EUVD
EUVD-2026-21045
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flatpak flatpak-builder From 1.4.5 (inc) to 1.4.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39977 is a high-severity path traversal vulnerability in flatpak-builder versions 1.4.5 through 1.4.7, fixed in version 1.4.8. The vulnerability arises from the way the tool handles the license-files manifest key, which specifies license file paths relative to the source directory.

The paths are resolved and validated to stay inside the source directory using checks that do not properly handle symbolic links or path traversal sequences. This improper validation allows crafted manifests or source archives to specify license file paths that escape the source directory.

As a result, an attacker can cause arbitrary files from the host system to be read and copied into the build output, potentially exposing sensitive information.

Impact Analysis

This vulnerability can allow an attacker to read arbitrary files from the host system during the build process and include them in the build output. This can lead to the exposure of sensitive information such as environment variables, secret tokens, or personal configuration files.

While the impact is considered low for local users who typically trust manifests, it poses a significant risk in distributed build or continuous integration (CI) environments where central secrets or tokens are stored.

Attackers can exploit this vulnerability to exfiltrate sensitive information from CI hosts into build artifacts that are then distributed to users, potentially compromising security and confidentiality.

Detection Guidance

This vulnerability can be detected by inspecting flatpak-builder manifests and source archives for the presence of symlinks or path traversal sequences in the license-files array that escape the source directory.

Specifically, you can look for symlinks inside the source directory that point outside the directory, such as to /proc/self or user home directories.

Suggested commands to detect suspicious symlinks or paths include:

  • Find symlinks inside the source directory: `find /path/to/source -type l -ls`
  • Check where symlinks point: `readlink -f /path/to/source/symlink`
  • Search for license-files entries in manifests that contain ../ or absolute paths: `grep -r license-files /path/to/manifests`
  • Verify if any license file paths resolve outside the source directory by scripting path resolution checks.
Mitigation Strategies

The immediate mitigation step is to upgrade flatpak-builder to version 1.4.8 or later, where this vulnerability is fixed.

Until upgrading, avoid using untrusted manifests or source archives that specify license-files, especially in distributed build or CI environments.

Additionally, audit existing manifests and source directories for symlinks or license file paths that could escape the source directory and remove or correct them.

Restrict build environments to trusted users and inputs to reduce the risk of exploitation.

Compliance Impact

This vulnerability allows attackers to read arbitrary files from the host system and include them in build outputs, potentially exposing sensitive information such as environment variables and secret tokens.

In environments like distributed build or continuous integration (CI) systems, where sensitive data such as central secrets or tokens may be present, this can lead to unauthorized disclosure of confidential information.

Such unauthorized exposure of sensitive data could lead to non-compliance with regulations like GDPR or HIPAA, which require protection of personal and sensitive information from unauthorized access and disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart