Compliance Impact

This vulnerability allows unauthorized local users to access sensitive information such as password files and private keys by exploiting the lack of authentication in qSnapper's snapshot diff functions.

Such unauthorized disclosure of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and confidential information.

By exposing protected information without proper authentication, the vulnerability undermines compliance with these standards that mandate confidentiality, integrity, and access control measures.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41047 is an information disclosure vulnerability in qSnapper, a GUI frontend for managing Btrfs filesystem snapshots. The issue arises from a lack of proper authentication when using the "snapshot diff" functions, specifically the diff methods in qSnapper's D-Bus service. These methods allowed locally logged-in, unprivileged users to access sensitive information about file changes between snapshots or between snapshots and the live filesystem without requiring admin authentication.

The vulnerability stems from insufficient authorization checks, as these diff methods relied on the "list-snapshots" Polkit action, which did not enforce admin privileges. This allowed attackers to view otherwise protected data such as contents of sensitive files like /etc/shadow or changes in root's home directory.

The issue was fixed in qSnapper version 1.3.3 by introducing a new "view-diff" Polkit action that requires admin authentication, along with broader security hardening including changes to Polkit authentication, input validation, authorization, and logging.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the system. An attacker with local access but without administrative privileges could exploit the flaw to view detailed differences between filesystem snapshots, potentially exposing confidential data.

• Exposure of sensitive files such as /etc/shadow, which contains password hashes.
• Leakage of private keys or other confidential data stored in user directories, including root's home directory.

Such information disclosure could facilitate further attacks, including privilege escalation or unauthorized access to user accounts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to qSnapper's snapshot diff functions without authentication. Detection involves checking if your system is running a vulnerable version of qSnapper (prior to 1.3.3) and whether unprivileged users can invoke diff-related D-Bus methods without authentication.

You can attempt to detect the vulnerability by running commands that call qSnapper's D-Bus methods related to snapshot diffs, such as ListSnapshots(), GetFileChanges(), or GetFileDiffAndDetails(), as an unprivileged user. If these commands succeed without requiring admin authentication, the system is vulnerable.

• Use dbus-send or gdbus to call qSnapper's diff-related methods as a non-privileged user and observe if sensitive information is returned.
• Check the installed qSnapper version with a command like `qsnapper --version` or by querying your package manager to verify if it is older than version 1.3.3.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade qSnapper to version 1.3.3 or later, where the vulnerability has been fixed by introducing proper Polkit authentication for the snapshot diff functions.

Until the upgrade can be applied, restrict local user access to qSnapper's D-Bus services or disable the snapshot diff functionality to prevent unauthorized information disclosure.

Review and harden Polkit policies related to qSnapper, ensuring that the new "view-diff" Polkit action requiring admin authentication is enforced.

Useful 0 Not Useful 0