Description
Incorrect caching of authentication between different users of the  qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.
Published: 2026-06-22
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incorrect caching of authentication data between different users in the qSnapper D‑Bus service before version 1.3.3 enables a local attacker to invoke D‑Bus functions after a privileged user has authenticated. This vulnerability allows unauthorized users to bypass the proper authentication checks, giving them the ability to call privileged functions that were intended for the original authenticated user. The impact is that a local attacker can gain unauthorized access to the service’s privileged operations, effectively escalating privileges within the context of the qSnapper service.

Affected Systems

Products affected are qSnapper, specifically the D‑Bus component provided by the vendor presire. All releases prior to version 1.3.3 are vulnerable. Versions claiming to use the D‑Bus interface before that release lack the necessary authentication isolation.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability. EPSS 0.00134 (0.13%) indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The threat vector is local privilege, requiring a trusted process to authenticate first; once that occurs the caching flaw allows another local user to reuse the authentication token. Because it requires local access and no network exposure, the attack is limited to machines where both privileged and unprivileged users operate, yet the potential for privilege escalation within the qSnapper service remains significant.

Generated by OpenCVE AI on July 12, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade qSnapper to version 1.3.3 or newer, which removes the authentication caching flaw.
  • If an upgrade is not immediately possible, restrict D‑Bus access to the qSnapper service by configuring the D‑Bus policy services for other users.
  • In environments that still run the vulnerable versions, eliminate privileged accounts that can authenticate to qSnapper, or at least ensure they are not running continuously and monitor for any unauthorized D‑Bus activity.

Generated by OpenCVE AI on July 12, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-303 CWE-863

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Presire
Presire qsnapper
Vendors & Products Presire
Presire qsnapper

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Incorrect caching of authentication between different users of the  qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.
Title Caching of Authentication allows Authentication Bypass between users in qSnapper
Weaknesses CWE-303
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Presire Qsnapper
cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-07-08T05:55:01.962Z

Reserved: 2026-04-16T13:37:50.679Z

Link: CVE-2026-41049

cve-icon Vulnrichment

Updated: 2026-06-22T16:25:26.347Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T21:30:16Z

Weaknesses