Sandbox Escape Vulnerability in Flatpak by Flatpak
CVE-2026-34078

9.3CRITICAL

Key Information:

Vendor: Flatpak
Status: Flatpak
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-34078?

Flatpak, a Linux application sandboxing and distribution framework, allows apps to control symlinks pointing to arbitrary host paths in its sandbox-expose options. This configuration issue can lead to unauthorized access to all host files. As a result, attackers may leverage this flaw to gain code execution within the host environment, compromising system integrity. This vulnerability has been addressed in version 1.16.4.

Affected Version(s)

flatpak < 1.16.4

References

https://github.com/flatpak/flatpak/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34078 Data

JSON