Description
flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using g_file_resolve_relative_path() and validated to stay inside the source directory using two checks - g_file_get_relative_path() which does not resolve symlinks and g_file_query_file_type() with G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS which only applies to the final path component. The copy operation runs on host. This can be exploited by using a crafted manifest and/or source to read arbitrary files from the host and capture them into the build output. This vulnerability is fixed in 1.4.8.
Published: 2026-04-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read on host
Action: Apply patch
AI Analysis

Impact

flatpak-builder, a build tool used to create Flatpak packages, contains a path traversal flaw when processing the license-files key in a module's manifest. An attacker can supply a crafted manifest pointing to arbitrary files on the host filesystem, which flatpak-builder resolves using g_file_resolve_relative_path and then copies these files into the build output. This allows reading sensitive data such as configuration, credentials, or system files, compromising confidentiality. The weakness corresponds to CWE-22, which is a classic directory traversal exploitation.

Affected Systems

The vulnerability exists in flatpak-builder versions 1.4.5 through 1.4.7 inclusive. Users running these versions should be aware that any build performed with an untrusted manifest can leak host files into the resulting package. The fix was introduced in version 1.4.8, which sanitises license file paths properly.

Risk and Exploitability

CVSS 7.1 indicates a high risk of damage if exploited. The vulnerability requires local execution of the build process with a malicious manifest; therefore the attack vector is limited to systems that run flatpak-builder, typically developers or build servers. Although EPSS data is unavailable, the lack of a KeV listing suggests no public exploits yet, but the straightforward exploitation path makes it a moderate to high risk in environments that process untrusted build manifests. Upgrading or applying the vendor patch mitigates the risk.

Generated by OpenCVE AI on April 9, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to flatpak-builder 1.4.8 or newer to fix path traversal handling.
  • If upgrade is not possible immediately, avoid using untrusted or unverified manifests and ensure manifest files are sourced from trusted parties.
  • Monitor for any security advisories from Flatpak regarding this issue.

Generated by OpenCVE AI on April 9, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flatpak:flatpak-builder:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Flatpak
Flatpak flatpak-builder
Vendors & Products Flatpak
Flatpak flatpak-builder

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using g_file_resolve_relative_path() and validated to stay inside the source directory using two checks - g_file_get_relative_path() which does not resolve symlinks and g_file_query_file_type() with G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS which only applies to the final path component. The copy operation runs on host. This can be exploited by using a crafted manifest and/or source to read arbitrary files from the host and capture them into the build output. This vulnerability is fixed in 1.4.8.
Title flatpak-builder has a path traversal leading to arbitrary file read on host when installing licence files
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Flatpak Flatpak-builder
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T20:19:28.323Z

Reserved: 2026-04-08T00:01:47.628Z

Link: CVE-2026-39977

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:26.660

Modified: 2026-04-16T20:52:42.940

Link: CVE-2026-39977

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T19:05:23Z

Links: CVE-2026-39977 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:46Z

Weaknesses