CVE-2026-40354
Symlink Attack in Flatpak xdg-desktop-portal Enables File Deletion
Publication date: 2026-04-11
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flatpak | xdg-desktop-portal | to 1.20.4 (exc) |
| flatpak | xdg-desktop-portal | 1.21.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40354 is a vulnerability in the Flatpak xdg-desktop-portal component before versions 1.20.4 and 1.21.1. It allows any Flatpak application to delete (trash) arbitrary files on the host system by exploiting a symlink attack on the g_file_trash function.
The issue arises from a time-of-check/time-of-use (TOCTOU) race condition where a malicious Flatpak app can request to trash a file it owns, then replace that file with a symbolic link pointing to another file on the host. Because of this, the portal ends up trashing the target of the symlink instead of the original file.
How can this vulnerability impact me? :
This vulnerability can allow a malicious or compromised Flatpak application to delete arbitrary files on your host system without your consent.
Such unauthorized file deletion could lead to data loss or disruption of system operations, depending on which files are targeted.
The severity is considered moderate, but it poses a risk to the integrity of your files and system stability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided for this vulnerability in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the xdg-desktop-portal component to a fixed version.
- Upgrade to version 1.20.4 or later, or to development prerelease 1.21.1 or later, where the vulnerability has been fixed.
- Ensure that all Flatpak applications and related components are kept up to date to prevent exploitation of this symlink TOCTOU vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any Flatpak app to trash arbitrary files on the host system via a symlink attack, which could lead to unauthorized data loss or manipulation.
Such unauthorized file deletion could potentially impact compliance with data protection regulations like GDPR or HIPAA if sensitive or regulated data is affected, as these standards require maintaining data integrity and availability.
However, the CVE description and resources do not explicitly discuss compliance implications or specific regulatory impacts.