CVE-2026-34079

HIGH

Flatpak affected by arbitrary file deletion on the host filesystem

Title source: cna

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

References (1)

[X_Refsource_Confirm] https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp

Scores

CVSS v3 7.5

EPSS 0.0014

EPSS Percentile 33.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

flatpak/flatpak < 1.16.4 (2 CPE variants)

Published Apr 07, 2026

Tracked Since Apr 08, 2026