{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34080", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.868Z", "datePublished": "2026-04-07T20:57:57.931Z", "dateUpdated": "2026-04-21T12:21:20.635Z"}, "containers": {"cna": {"title": "xdg-dbus-proxy has an eavesdrop filter bypass allowing message interception", "problemTypes": [{"descriptions": [{"cweId": "CWE-1289", "lang": "en", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677"}], "affected": [{"vendor": "flatpak", "product": "xdg-dbus-proxy", "versions": [{"version": "< 0.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:57:57.931Z"}, "descriptions": [{"lang": "en", "value": "xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7."}], "source": {"advisory": "GHSA-vjp5-hjfm-7677", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:40:24.515938Z", "id": "CVE-2026-34080", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:40:38.556Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/10/15"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-21T12:21:20.635Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/10/15"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-21T12:21:20.635Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34080", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:40:24.515938Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:40:32.785Z"}}], "cna": {"title": "xdg-dbus-proxy has an eavesdrop filter bypass allowing message interception", "source": {"advisory": "GHSA-vjp5-hjfm-7677", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "flatpak", "product": "xdg-dbus-proxy", "versions": [{"status": "affected", "version": "< 0.1.7"}]}], "references": [{"url": "https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677", "name": "https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1289", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:57:57.931Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34080", "state": "PUBLISHED", "dateUpdated": "2026-04-21T12:21:20.635Z", "dateReserved": "2026-03-25T16:21:40.868Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T20:57:57.931Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flatpak:xdg-dbus-proxy:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2C34D37-589C-4F7B-93D2-064131550C09", "versionEndExcluding": "0.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7."}], "id": "CVE-2026-34080", "lastModified": "2026-04-21T13:16:20.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T21:17:17.720", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/10/15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00022.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1289"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "xdg-dbus-proxy: xdg-dbus-proxy: Information disclosure due to policy parser vulnerability", "id": "2456273", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456273"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-1286", "details": ["A flaw was found in xdg-dbus-proxy, a filtering proxy for D-Bus connections. A local client can exploit a policy parser vulnerability by crafting specific policy rules, such as including a space before the equals sign in \"eavesdrop=true\". This improper parsing allows the client to bypass intended eavesdrop restrictions. The consequence is information disclosure, where clients can intercept D-Bus messages that should otherwise be inaccessible."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-34080", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "xdg-dbus-proxy", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "xdg-dbus-proxy", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-07T20:57:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34080\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34080\nhttps://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "xdg-dbus-proxy", "source": "cna", "vendor": "flatpak"}, "product": "xdg-dbus-proxy", "vendor": "flatpak"}], "analysis": {"en": {"generated_at": "2026-04-14T20:58:12.469917+00:00", "value": {"mitigation_remediation": ["Upgrade xdg-dbus-proxy to version 0.1.7 or newer."], "summary": {"action": "Apply Patch", "impact": "Message Interception via D-Bus"}, "threat_synthesis": {"affected_systems": "Flatpak\u2019s xdg-dbus-proxy version 0.1.6 and earlier are affected. The issue is fixed in version 0.1.7 and later; no other products are impacted.", "description_and_impact": "The xdg-dbus-proxy service parses policy rules to enforce whether a client may eavesdrop on D-Bus traffic. A flaw in the parser allows a client to supply a value such as \"eavesdrop ='true'\"\u2014with a space before the equals sign\u2014causing the proxy to incorrectly interpret the flag as true and permit message interception. This can be used by a malicious D-Bus client to observe messages it should not access. The effect is data confidentiality loss within the D-Bus ecosystem.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity, while the EPSS score is less than 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, implying a low likelihood of exploitation in the wild. The likely attack vector requires local access or a compromised client that can influence policy processing; remote exploitation without additional local privileges is not described. The risk is moderate for environments that rely on strict D-Bus access controls but should still be mitigated promptly."}}}}, "created": "2026-04-08T19:34:14.321978+00:00", "updated": "2026-04-15T16:15:11.968109+00:00", "vendors": ["flatpak", "flatpak$PRODUCT$xdg-dbus-proxy"]}