Directory Traversal Vulnerability in Evolution Data Server Affecting Flatpak Applications
CVE-2026-2604

5.6MEDIUM

Key Information:

Vendor: Gnome
Status: Evolution Data Server; Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-2604?

A vulnerability exists in the Evolution Data Server, where improper comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to create a malicious URI containing directory traversal sequences. This flaw permits the URI to be stored without adequate validation during the creation or modification of contacts. Critically, during the contact deletion process, this URI is processed with a less stringent validation, potentially enabling deletion of arbitrary files on the host filesystem. This includes the risk of removing sensitive Flatpak override files, which could significantly compromise system integrity and user data safety.

Affected Version(s)

Evolution Data Server 0 < 3.59.3

References

https://access.redhat.com/security/cve/CVE-2026-2604

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2440301

issue-trackingx_refsource_REDHAT

https://gitlab.gnome.org/GNOME/evolution-data-server/-/is...

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Feb 16, 2026

Credit

Red Hat would like to thank Codean Labs for reporting this issue.

CVE-2026-2604 Data

JSON