Flatpak affected by arbitrary file deletion on the host filesystem

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

Affected Products

Vendor	Product	Versions
flatpak	flatpak	< 1.16.4

References

https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp(x_refsource_CONFIRM)

Related News (2 articles)

Tier D

Help Net Security2d ago

Flatpak 1.16.4 fixes sandbox escape and three other security flaws

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-34079 | Flatpak up to 1.16.3 Cache Directory path traversal (GHSA-p29x-r292-46pp)

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.16.4

CWECWE-22

PublishedApr 7, 2026

Last enriched2d agov3

Trending Score43

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 2d ago

v3Tier D2d ago

Updated description with details on CVE-2026-34078 and CVE-2026-34079, and marked exploit as available.

cweIds

via Help Net Security

v2Tier C3d ago

Updated severity to CRITICAL, added new description details, and noted that the vulnerability is actively exploited.

descriptionseverityactivelyExploitedpatchAvailable

via VulDB

v13d ago

Initial creation

Flatpak affected by arbitrary file deletion on the host filesystem

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History