CVE-2026-34079

CWE-22 — Path Traversal9 documents7 sources

Severity

8.7HIGH

EPSS

0.1%

top 67.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Flatpak Flatpak

Timeline

PublishedApr 7

Latest updateApr 8

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5flatpak/flatpak< 1.16.4

🔴Vulnerability Details

OSV

CVE-2026-34079: Flatpak is a Linux application sandboxing and distribution framework↗2026-04-07

▶

CVEList

Flatpak affected by arbitrary file deletion on the host filesystem↗2026-04-07

▶

📋Vendor Advisories

Red Hat

flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation↗2026-04-07

▶

Debian

CVE-2026-34079: flatpak - Flatpak is a Linux application sandboxing and distribution framework. Prior to 1...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-34079 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-42]↗2026-04-08

▶

Bugzilla

CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-43]↗2026-04-08

▶

Bugzilla

CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation↗2026-04-07

▶