Description
Incorrect caching of authentication between different users of the  qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.
Published: 2026-06-22
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incorrect caching of authentication data between different users in the qSnapper D-Bus service before version 1.3.3 enables a local attacker to invoke D‑Bus functions after a privileged user has authenticated. This vulnerability allows unauthorized users to bypass the proper authentication checks, giving them the ability to call privileged functions that were intended for the original authenticated user. The impact is that a local attacker can gain unauthorized access to the service’s privileged operations, effectively escalating privileges within the context of the qSnapper service.

Affected Systems

Products affected are qSnapper, specifically the D‑Bus component provided by the vendor presire. All releases prior to version 1.3.3 are vulnerable. Versions claiming to use the D‑Bus interface before that release lack the necessary authentication isolation.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. The threat vector is local privilege, requiring a trusted process to authenticate first; once that occurs the caching flaw allows another local user to reuse the authentication token. Because it requires local access and no network exposure, the attack is limited to machines where both privileged and unprivileged users operate, yet the potential for privilege escalation within the qSnapper service remains significant.

Generated by OpenCVE AI on June 22, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade qSnapper to version 1.3.3 or newer, which removes the authentication caching flaw.
  • If an upgrade is not immediately possible, restrict D‑Bus access to the qSnapper service by configuring the D‑Bus policy so that only trusted applications can connect, or disable services for other users.
  • In environments that still run the vulnerable versions, eliminate privileged accounts that can authenticate to qSnapper, or at least ensure they are not running continuously and monitor for any unauthorized D‑Bus activity.

Generated by OpenCVE AI on June 22, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Incorrect caching of authentication between different users of the  qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.
Title Caching of Authentication allows Authentication Bypass between users in qSnapper
Weaknesses CWE-303
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-06-22T15:32:59.192Z

Reserved: 2026-04-16T13:37:50.679Z

Link: CVE-2026-41049

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-303

    Incorrect Implementation of Authentication Algorithm