CVE-2026-40354
Received Received - Intake
Symlink Attack in Flatpak xdg-desktop-portal Enables File Deletion

Publication date: 2026-04-11

Last updated on: 2026-04-27

Assigner: MITRE

Description
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-11
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40354
EUVD
EUVD-2026-21625
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
flatpak xdg-desktop-portal to 1.20.4 (exc)
flatpak xdg-desktop-portal 1.21.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows any Flatpak app to trash arbitrary files on the host system via a symlink attack, which could lead to unauthorized data loss or manipulation.

Such unauthorized file deletion could potentially impact compliance with data protection regulations like GDPR or HIPAA if sensitive or regulated data is affected, as these standards require maintaining data integrity and availability.

However, the CVE description and resources do not explicitly discuss compliance implications or specific regulatory impacts.

Executive Summary

CVE-2026-40354 is a vulnerability in the Flatpak xdg-desktop-portal component before versions 1.20.4 and 1.21.1. It allows any Flatpak application to delete (trash) arbitrary files on the host system by exploiting a symlink attack on the g_file_trash function.

The issue arises from a time-of-check/time-of-use (TOCTOU) race condition where a malicious Flatpak app can request to trash a file it owns, then replace that file with a symbolic link pointing to another file on the host. Because of this, the portal ends up trashing the target of the symlink instead of the original file.

Impact Analysis

This vulnerability can allow a malicious or compromised Flatpak application to delete arbitrary files on your host system without your consent.

Such unauthorized file deletion could lead to data loss or disruption of system operations, depending on which files are targeted.

The severity is considered moderate, but it poses a risk to the integrity of your files and system stability.

Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability in the available resources.

Mitigation Strategies

The primary mitigation step is to update the xdg-desktop-portal component to a fixed version.

  • Upgrade to version 1.20.4 or later, or to development prerelease 1.21.1 or later, where the vulnerability has been fixed.
  • Ensure that all Flatpak applications and related components are kept up to date to prevent exploitation of this symlink TOCTOU vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart