{"id":"CVE-2026-34078","summary":"Flatpak has a complete sandbox escape leading to host file access and code execution in the host context","details":"Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.","aliases":["GHSA-cc2q-qc34-jprg"],"modified":"2026-05-29T13:44:12.691413418Z","published":"2026-04-07T21:27:45.643Z","related":["ALSA-2026:21755","ALSA-2026:21756","ALSA-2026:21757","SUSE-SU-2026:1511-1","SUSE-SU-2026:1541-1","SUSE-SU-2026:1600-1","SUSE-SU-2026:1713-1","openSUSE-SU-2026:10541-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-61"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34078.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/04/09/8"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/04/10/14"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34078.json"},{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34078"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/flatpak/flatpak","events":[{"introduced":"0"},{"fixed":"2cc39deb237776614f8bdecae1892e5229aeca60"}]}],"versions":["1.16.3","1.16.2","1.16.1","1.16.0","1.15.91","1.15.12","1.15.11","1.15.10","1.15.9","1.15.8","1.15.7","1.15.6","1.15.4","1.15.3","1.15.2","1.15.1","1.15.0","1.14.0","1.13.3","1.13.2","1.13.1","1.11.2","1.12.0","1.11.3","1.11.1","1.10.1","1.10.0","1.9.3","1.9.2","1.9.1","1.8.0","1.7.3","1.7.2","1.7.1","1.6.2","1.6.1","1.6.0","1.5.2","1.5.1","1.5.0","1.4.0","1.3.4","1.3.3","1.3.2","1.3.1","1.3.0","1.2.1","1.2.0","1.1.3","1.1.2","1.1.1","1.1.0","1.0.3","1.0.2","1.0.1","1.0.0","0.99.3","0.99.2","0.99.1","0.11.8.3","0.11.8.2","0.11.8.1","0.11.8","0.11.7","0.11.6","0.11.5","0.11.4","0.11.3","0.11.2","0.11.1","0.10.2","0.10.1","0.10.0","0.9.99","0.9.98.2","0.9.98.1","0.9.98","0.9.12","0.9.11","0.9.10","0.9.9","0.9.8","0.9.7","0.9.6","0.9.5","0.9.4","0.9.3","0.9.2","0.9.1","0.8.1","0.8.0","0.6.14","0.6.13","0.6.12","0.6.11","0.6.10","0.6.9","0.6.8","0.6.7","0.6.6","0.6.5","0.6.4","0.6.3","0.6.2","0.6.1","0.6.0","0.5.2","0.5.1","0.5.0","0.4.13","0.4.12","0.4.11","0.4.10","0.4.9","0.4.8","0.4.7","0.4.6","0.4.5","0.4.4","0.4.3","0.4.2.1","0.4.2","0.4.1","0.4.0","0.3.6","0.3.5","0.3.4","0.3.3","0.3.2","0.3.1","0.3","0.2.1","0.2","0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34078.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}