CVE-2026-40354

Published: Apr 11, 2026Modified: Apr 27, 2026

6.3

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability: 1.0 / Impact: 5.2

Source: NVD

Description

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

Affected (2)

Products: Flatpak: Xdg Desktop Portal

Flatpak

1 product

Xdg Desktop Portal

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Flatpak Xdg Desktop Portal	Before 1.20.4
Flatpak Xdg Desktop Portal	Version 1.21.0

Related CWEs

CWE-61

UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

References (4)

https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4

Source: cve@mitre.org

Product

https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1

Source: cve@mitre.org

Product

https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj

Source: cve@mitre.org

Vendor Advisory

https://www.openwall.com/lists/oss-security/2026/04/10/14

Source: cve@mitre.org

Mailing List

Timeline

No history available yet.