CVE-2026-34078 - Vulnerability Details

- Flatpak has a complete sandbox escape leading to host file access and code execution in the host context

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.

Published: 2026-04-07

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an application running within a Flatpak sandbox to escape the confinement by creating symlinks that resolve to arbitrary host paths when passed to the sandbox-expose options. Once the host paths are mounted, the app gains unrestricted read and write access to all files on the host system and may execute code in the host context. This represents a significant compromise of confidentiality, integrity, and availability of the host environment. The weakness aligns with path traversal (CWE‑59) and file inclusion (CWE‑61).

Affected Systems

All installations of Flatpak using the Flatpak portal preceding version 1.16.4 are affected. Users of the flatpak:flatpak product that rely on sandbox-expose feature must verify their current version and update. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 9.3 classifies the flaw as critical, and while an EPSS score is not publicly available, the design of SandBox can be abused by any app that can be run locally by the user, implying a high likelihood of exploitation. The flaw is not listed in KEV, suggesting it may not yet be commonly exploited in the wild. The attack vector is inferred to be local, requiring an attacker to run a malicious or compromised Flatpak application that utilizes sandbox-expose. If such an app is executed, it can reach host files and potentially run code on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

flatpak

affected

Version	Status	Constraints
`< 1.16.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Flatpak

100%

Version	Status	Scheme	Platform
`[0,1.16.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Flatpak to version 1.16.4 or later.
Disable or restrict use of the sandbox-expose portal options if not needed.
Verify that all Flatpak applications use the latest version before deployment.

Generated by OpenCVE AI on April 8, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6207-1	flatpak security update
Debian DSA	DSA-6223-1	flatpak security update

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/09/8
http://www.openwall.com/lists/oss-security/2026/04/10/14
https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg
https://nvd.nist.gov/vuln/detail/CVE-2026-34078
https://www.cve.org/CVERecord?id=CVE-2026-34078

History

Fri, 24 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:flatpak:flatpak::::::::
Metrics	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Sat, 11 Apr 2026 01:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/10/14

Thu, 09 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/09/8

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Flatpak Flatpak flatpak
Vendors & Products		Flatpak Flatpak flatpak

Wed, 08 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-59
References		https://nvd.nist.gov/vuln/detail/CVE-2026-34078 https://www.cve.org/CVERecord?id=CVE-2026-34078
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}` threat_severity `Moderate`

Tue, 07 Apr 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
Title		Flatpak has a complete sandbox escape leading to host file access and code execution in the host context
Weaknesses		CWE-61
References		https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Flatpak Flatpak

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T21:27:45.643Z

Updated: 2026-04-11T00:21:12.650Z

Reserved: 2026-03-25T16:21:40.868Z

Link: CVE-2026-34078

Vulnrichment

Updated: 2026-04-11T00:21:12.650Z

NVD

Status : Analyzed

Published: 2026-04-07T22:16:21.930

Modified: 2026-04-24T17:50:18.043

Link: CVE-2026-34078

Redhat

Severity : Moderate

Publid Date: 2026-04-07T21:27:45Z

Links: CVE-2026-34078 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:45:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object