Improper Authorization Vulnerability in PackageKit API by PackageKit
CVE-2026-10294

5.3MEDIUM

Key Information:

Vendor

PackageKit

Status
Packagekit
Vendor
CVE Published:
1 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-10294?

A vulnerability has been discovered in the PackageKit API, specifically within the g_file_test function of the pk-transaction.c component. This issue arises when the frontend-socket argument is manipulated, which can lead to improper authorization. As a result, attackers may exploit this vulnerability remotely, gaining unauthorized access to system functions. With the exploit now publicly disclosed, it's crucial for users of PackageKit versions up to 1.3.5 to implement security measures to mitigate potential risks.

Affected Version(s)

PackageKit 1.3.0

PackageKit 1.3.1

PackageKit 1.3.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-10294 - Proof of Concept

References

https://vuldb.com/vuln/367587
vdb-entrytechnical-description
https://vuldb.com/vuln/367587/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-10294
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rosa Yu (VulDB User)
.