CVE-2026-34078EXPLOITEDPATCHED

flatpak · flatpak

Flatpak has a complete sandbox escape leading to host file access and code execution in the host context

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.

Affected Products

Vendor	Product	Versions
flatpak	flatpak	< 1.16.4

References

https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg(x_refsource_CONFIRM)

Related News (5 articles)

Tier C

oss-security8h ago

xdg-desktop-portal GHSA-rqr9-jwwf-wxgj: Trashing of arbitrary host files

→ No new info (linked only)

Tier C

oss-security1d ago

Re: 4 security fixes in Flatpak, including critical CVE-2026-34078: Complete sandbox escape leading to host file access and code execution in the host context

→ No new info (linked only)

Tier C

oss-security2d ago

4 security fixes in Flatpak, including critical CVE-2026-34078: Complete sandbox escape leading to host file access and code execution in the host context

→ No new info (linked only)

Tier D

Help Net Security2d ago

Flatpak 1.16.4 fixes sandbox escape and three other security flaws

CVSS 3.18.0 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.17.5

CWECWE-61

PublishedApr 7, 2026

Last enriched7h agov6

Community Vote

Vulnerability Timeline

CVE Published

Apr 7, 2026

Discovered by ZDM

Apr 7, 2026

Updated: severity, activelyExploited, patchAvailable

Apr 8, 2026

Updated: cweIds

Apr 8, 2026

Updated: severity, affectedVersions, patchAvailable

Apr 9, 2026

Updated: severity, cvssEstimate, exploitAvailable, tags

Apr 9, 2026

Updated: severity, cvssEstimate, cweIds, tags

Apr 10, 2026

Actively Exploited

Apr 11, 2026

Exploit Available

Apr 11, 2026

Patch Available

Apr 11, 2026

Version History

Last enriched 7h ago

v6Tier C7h ago

Updated severity to HIGH, CVSS estimate to 8.0, added new CWE-367, and included a new tag.

severitycvssEstimatecweIdstags

via oss-security

v5Tier C1d ago

Updated severity to HIGH, added CVSS estimate of 7.5, marked exploit as available, and added new tag for CVE-2026-34078.

severitycvssEstimateexploitAvailabletags

via oss-security

v4Tier C2d ago

Updated severity to CRITICAL, added new affected versions 1.16.5 and 1.17.5, and updated the patch available to 1.17.5.

severityaffectedVersionspatchAvailable

via oss-security

v3Tier D2d ago

Added CVE-2026-34078 to the description and included a new CWE-22.

cweIds

via Help Net Security

v2Tier C3d ago

Updated severity to CRITICAL, marked as actively exploited, and specified patch available in version 1.16.4.

severityactivelyExploitedpatchAvailable

via VulDB

v13d ago

Initial creation

Flatpak has a complete sandbox escape leading to host file access and code execution in the host context

Description

Affected Products

References

Related News (5 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History