CVE-2026-40354: CWE-61 UNIX Symbolic Link (Symlink) Following in Flatpak xdg-desktop-portal
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-40354) involves improper handling of symbolic links in Flatpak's xdg-desktop-portal, specifically in the g_file_trash function. Flatpak apps running in affected versions can exploit this to delete arbitrary files on the host system by creating symlinks that redirect the trash operation. The issue affects versions prior to 1.20.4 and 1.21.1. The CVSS 3.1 base score is 2.9, reflecting low impact with local attack vector, high attack complexity, no privileges required, no user interaction, and limited availability impact. No known exploits are reported in the wild.
Potential Impact
The vulnerability allows local Flatpak applications to delete files on the host system by leveraging symlink following in the trash operation. This impacts availability by potentially removing important files but does not affect confidentiality or integrity. The low CVSS score reflects the limited scope and complexity of exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict untrusted Flatpak applications from running or limit their permissions to reduce risk. Monitor vendor communications for updates on patches or official mitigations.
CVE-2026-40354: CWE-61 UNIX Symbolic Link (Symlink) Following in Flatpak xdg-desktop-portal
Description
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-40354) involves improper handling of symbolic links in Flatpak's xdg-desktop-portal, specifically in the g_file_trash function. Flatpak apps running in affected versions can exploit this to delete arbitrary files on the host system by creating symlinks that redirect the trash operation. The issue affects versions prior to 1.20.4 and 1.21.1. The CVSS 3.1 base score is 2.9, reflecting low impact with local attack vector, high attack complexity, no privileges required, no user interaction, and limited availability impact. No known exploits are reported in the wild.
Potential Impact
The vulnerability allows local Flatpak applications to delete files on the host system by leveraging symlink following in the trash operation. This impacts availability by potentially removing important files but does not affect confidentiality or integrity. The low CVSS score reflects the limited scope and complexity of exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict untrusted Flatpak applications from running or limit their permissions to reduce risk. Monitor vendor communications for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-11T00:29:02.889Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d99e6e1cc7ad14da1225aa
Added to database: 4/11/2026, 1:05:50 AM
Last enriched: 4/18/2026, 2:04:34 PM
Last updated: 5/26/2026, 7:50:05 AM
Views: 87
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.