Description
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.
Published: 2026-04-11
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: File Deletion
Action: Patch
AI Analysis

Impact

A flaw in the Flatpak xdg-desktop-portal component permits any Flatpak application to invoke the g_file_trash API with a crafted symbolic link, causing the host's file associated with the link to be removed. The vulnerability is a directory traversal / symlink manipulation issue (CWE‑59) leading to unintended file deletion. As a result, the attacker can delete arbitrary files on the host system, compromising data integrity and availability.

Affected Systems

This flaw affects the Flatpak xdg‑desktop‑portal component in versions prior to 1.20.4 and any 1.21.x release older than 1.21.1. Users running one of these older releases on Linux distributions that provide Flatpak support are susceptible.

Risk and Exploitability

The CVSS score of 2.9 indicates a low‑severity vulnerability, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local and requires the attacker to run a Flatpak application that uses the g_file_trash function. It is inferred that no elevated privileges are required; a regular user can create a symlink to a privileged file and trigger its deletion. Although the risk is modest, deleting critical system files could be disruptive.

Generated by OpenCVE AI on April 14, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flatpak xdg‑desktop‑portal to version 1.20.4 or later, or 1.21.1 or later.

Generated by OpenCVE AI on April 14, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flatpak:xdg-desktop-portal:*:*:*:*:*:*:*:*
cpe:2.3:a:flatpak:xdg-desktop-portal:1.21.0:*:*:*:*:*:*:*

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title File Deletion via Symlink Attack in Flatpak XDG Desktop Portal flatpak: xdg-desktop-portal: Flatpak xdg-desktop-portal: File deletion via symlink attack
Weaknesses CWE-59
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title File Deletion via Symlink Attack in Flatpak XDG Desktop Portal

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Flatpak
Flatpak xdg-desktop-portal
Vendors & Products Flatpak
Flatpak xdg-desktop-portal

Sat, 11 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Flatpak Xdg-desktop-portal
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T15:14:27.291Z

Reserved: 2026-04-11T00:29:02.889Z

Link: CVE-2026-40354

cve-icon Vulnrichment

Updated: 2026-04-15T15:14:22.002Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T01:16:16.270

Modified: 2026-04-27T23:11:58.333

Link: CVE-2026-40354

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-11T00:29:03Z

Links: CVE-2026-40354 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:16Z

Weaknesses