oss-sec mailing list archives
xdg-desktop-portal GHSA-rqr9-jwwf-wxgj: Trashing of arbitrary host files
From: Simon McVittie <smcv () debian org>
Date: Sat, 11 Apr 2026 00:08:55 +0100
xdg-desktop-portal's Trash portal is designed to allow sandboxed apps to ask for a file or directory accessible to the app to be moved to the trash. Similar to CVE-2026-34078 in Flatpak (but less serious), Codean Labs reported that a malicious or compromised Flatpak app could ask the portal to trash a file that it owns, then replace that file with a symlink, exploit a time-of-check/time-of-use mismatch and make the portal trash the target of the symlink on the host system instead. This is fixed in stable release 1.20.4 and development prerelease 1.21.1. https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj
Current thread:
- xdg-desktop-portal GHSA-rqr9-jwwf-wxgj: Trashing of arbitrary host files Simon McVittie (Apr 10)
