Flatpak affected by arbitrary file deletion on the host filesystem

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

Basic Information

ID CVE-2026-34079

Source GitHub_M

Published Apr 7, 2026 at 21:29

Modified Apr 10, 2026 at 20:13

Affected Product

Vendor flatpak

Product flatpak

Version < 1.16.4

Affected Versions flatpak flatpak < 1.16.4

CWE Classification

CWE-22

References

github.com /flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp

{
    "lastseen": "",
    "description": "Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps  to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.",
    "published": "2026-04-07T21:29:44.601Z",
    "modified": "2026-04-10T20:13:47.945Z",
    "type": "cve",
    "title": "Flatpak affected by arbitrary file deletion on the host filesystem",
    "source": "GitHub_M",
    "references": "https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp",
    "id": "CVE-2026-34079",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "flatpak flatpak < 1.16.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "flatpak",
    "version": "< 1.16.4",
    "vendor": "flatpak",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Flatpak affected by arbitrary file deletion on the host filesystem_CVE-2026-34079