CVE-2026-40354

Name

CVE-2026-40354

Description

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
cve@mitre.org	https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4
cve@mitre.org	https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1
cve@mitre.org	https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj
cve@mitre.org	https://www.openwall.com/lists/oss-security/2026/04/10/14

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:flatpak:xdg-desktop-portal::::::::`	xdg-desktop-portal	>= None	< 1.20.4
`cpe:2.3:a:flatpak:xdg-desktop-portal:1.21.0:::::::*`	xdg-desktop-portal	== None	== 1.21.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
xdg-desktop-portal	edge-community	1.20.3-r4	team/alpine-desktop <achill@achill.org>	possibly vulnerable
xdg-desktop-portal	edge-community	1.20.3-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
xdg-desktop-portal	edge-community	1.20.3-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
xdg-desktop-portal	edge-community	1.20.3-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
xdg-desktop-portal	edge-community	1.20.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
xdg-desktop-portal	edge-community	1.20.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
xdg-desktop-portal	edge-community	1.19.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
xdg-desktop-portal	3.23-community	1.20.3-r4	team/alpine-desktop <achill@achill.org>	possibly vulnerable