Policy Parser Flaw in xdg-dbus-proxy Affects Flatpak
CVE-2026-34080

6.8MEDIUM

Key Information:

Vendor: Flatpak
Status: Xdg-dbus-proxy
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-34080?

A policy parser vulnerability exists in the xdg-dbus-proxy prior to version 0.1.7. This flaw allows an attacker to bypass eavesdrop restrictions by exploiting an improper handling of whitespace in policy rules. Specifically, checks for eavesdrop=true are ineffective against variants like eavesdrop ='true', enabling unauthorized clients to intercept D-Bus messages, thereby compromising the confidentiality and integrity of the communication. The issue was addressed in version 0.1.7, emphasizing the importance of maintaining updated software to secure against such vulnerabilities.

Affected Version(s)

xdg-dbus-proxy < 0.1.7

References

https://github.com/flatpak/xdg-dbus-proxy/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34080 Data

JSON