CVE-2026-34079

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-34079

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34079.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-34079

Aliases

GHSA-p29x-r292-46pp

Downstream

DEBIAN-CVE-2026-34079

Published

2026-04-07T21:29:44.601Z

Modified

2026-04-08T12:26:30.337534Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Flatpak affected by arbitrary file deletion on the host filesystem

Details

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34079.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/flatpak/flatpak

Affected ranges

Type

GIT

Repo

https://github.com/flatpak/flatpak

Events

Introduced

Fixed

2cc39deb237776614f8bdecae1892e5229aeca60

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.16.4"
        }
    ]
}

Affected versions

0.*

0.1

0.10.0

0.10.1

0.10.2

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.11.6

0.11.7

0.11.8

0.11.8.1

0.11.8.2

0.11.8.3

0.2

0.2.1

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.4.0

0.4.1

0.4.10

0.4.11

0.4.12

0.4.13

0.4.2

0.4.2.1

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.6.10

0.6.11

0.6.12

0.6.13

0.6.14

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.8.0

0.8.1

0.9.1

0.9.10

0.9.11

0.9.12

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.98

0.9.98.1

0.9.98.2

0.9.99

0.99.1

0.99.2

0.99.3

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.1.3

1.10.0

1.10.1

1.11.1

1.11.2

1.11.3

1.12.0

1.13.1

1.13.2

1.13.3

1.14.0

1.15.0

1.15.1

1.15.10

1.15.11

1.15.12

1.15.2

1.15.3

1.15.4

1.15.6

1.15.7

1.15.8

1.15.9

1.15.91

1.16.0

1.16.1

1.16.2

1.16.3

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.7.1

1.7.2

1.7.3

1.8.0

1.9.1

1.9.2

1.9.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34079.json"