Improper Cache Handling in Flatpak Leads to Unrestricted File Deletion
CVE-2026-34079

8.7HIGH

Key Information:

Vendor: Flatpak
Status: Flatpak
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-34079?

A flaw in the Flatpak application sandboxing and distribution framework allows apps to delete arbitrary files on the host machine. This occurs due to the improper handling of outdated cache files by the caching mechanism in ld.so. Specifically, before version 1.16.4, the framework failed to check whether the app-controlled path to these outdated cache files was within the designated cache directory. This shortcoming exposes systems to potential data loss or unauthorized file manipulation, necessitating an update to the fixed version to ensure system integrity.

Affected Version(s)

flatpak < 1.16.4

References

https://github.com/flatpak/flatpak/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34079 Data

JSON