{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40354", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-11T00:29:02.889Z", "datePublished": "2026-04-11T00:29:03.467Z", "dateUpdated": "2026-04-15T15:14:27.291Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "xdg-desktop-portal", "vendor": "Flatpak", "versions": [{"lessThan": "1.20.4", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.21.1", "status": "affected", "version": "1.21.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-61", "description": "CWE-61 UNIX Symbolic Link (Symlink) Following", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-11T00:29:03.467Z"}, "references": [{"url": "https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1"}, {"url": "https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/10/14"}, {"url": "https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:13:04.765142Z", "id": "CVE-2026-40354", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:14:27.291Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40354", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:13:04.765142Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:14:22.002Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Flatpak", "product": "xdg-desktop-portal", "versions": [{"status": "affected", "version": "0", "lessThan": "1.20.4", "versionType": "semver"}, {"status": "affected", "version": "1.21.0", "lessThan": "1.21.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1"}, {"url": "https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/10/14"}, {"url": "https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-61", "description": "CWE-61 UNIX Symbolic Link (Symlink) Following"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-11T00:29:03.467Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40354", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:14:27.291Z", "dateReserved": "2026-04-11T00:29:02.889Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-11T00:29:03.467Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flatpak:xdg-desktop-portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EE2AC77-CD98-4889-B26F-9EB4391D3970", "versionEndExcluding": "1.20.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:flatpak:xdg-desktop-portal:1.21.0:*:*:*:*:*:*:*", "matchCriteriaId": "9314DB96-4EDF-43A8-BC7A-5074770F1E4A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash."}], "id": "CVE-2026-40354", "lastModified": "2026-04-27T23:11:58.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-11T01:16:16.270", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2026/04/10/14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-61"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "flatpak: xdg-desktop-portal: Flatpak xdg-desktop-portal: File deletion via symlink attack", "id": "2457541", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457541"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-59", "details": ["A flaw was found in Flatpak xdg-desktop-portal. A malicious Flatpak application can exploit this vulnerability by performing a symbolic link (symlink) attack on the `g_file_trash` function. This allows the Flatpak application to delete any file on the host system, leading to a denial of service."], "name": "CVE-2026-40354", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "xdg-desktop-portal", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "xdg-desktop-portal", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "xdg-desktop-portal", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "xdg-desktop-portal", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-11T00:29:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40354\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40354\nhttps://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4\nhttps://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1\nhttps://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj\nhttps://www.openwall.com/lists/oss-security/2026/04/10/14"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.20.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.21.0,1.21.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "xdg-desktop-portal", "source": "cna", "vendor": "Flatpak"}, "product": "xdg-desktop-portal", "vendor": "flatpak"}], "analysis": {"en": {"generated_at": "2026-04-14T02:06:31.886289+00:00", "value": {"mitigation_remediation": ["Upgrade Flatpak xdg\u2011desktop\u2011portal to version 1.20.4 or later, or 1.21.1 or later."], "summary": {"action": "Patch", "impact": "File Deletion"}, "threat_synthesis": {"affected_systems": "This flaw affects the Flatpak xdg\u2011desktop\u2011portal component in versions prior to 1.20.4 and any 1.21.x release older than 1.21.1. Users running one of these older releases on Linux distributions that provide Flatpak support are susceptible.", "description_and_impact": "A flaw in the Flatpak xdg-desktop-portal component permits any Flatpak application to invoke the g_file_trash API with a crafted symbolic link, causing the host's file associated with the link to be removed. The vulnerability is a directory traversal / symlink manipulation issue (CWE\u201159) leading to unintended file deletion. As a result, the attacker can delete arbitrary files on the host system, compromising data integrity and availability.", "risk_and_exploitability": "The CVSS score of 2.9 indicates a low\u2011severity vulnerability, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local and requires the attacker to run a Flatpak application that uses the g_file_trash function. It is inferred that no elevated privileges are required; a regular user can create a symlink to a privileged file and trigger its deletion. Although the risk is modest, deleting critical system files could be disruptive."}}}}, "created": "2026-04-13T12:42:04.131136+00:00", "updated": "2026-04-14T16:36:16.293348+00:00", "vendors": ["flatpak", "flatpak$PRODUCT$xdg-desktop-portal"]}