CVE-2026-34080

NameCVE-2026-34080
Descriptionxdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4542-1, DSA-6209-1, DSA-6224-1
Debian Bugs1132939

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xdg-dbus-proxy (PTS)bullseye0.1.2-2vulnerable
bullseye (security)0.1.2-2+deb11u1fixed
bookworm0.1.4-3vulnerable
bookworm (security)0.1.4-3+deb12u1fixed
trixie0.1.6-1vulnerable
trixie (security)0.1.6-1+deb13u1fixed
forky, sid0.1.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xdg-dbus-proxysourcebullseye0.1.2-2+deb11u1DLA-4542-1
xdg-dbus-proxysourcebookworm0.1.4-3+deb12u1DSA-6224-1
xdg-dbus-proxysourcetrixie0.1.6-1+deb13u1DSA-6209-1
xdg-dbus-proxysource(unstable)0.1.7-11132939

Notes

https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677
Fixed by: https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0 (0.1.7)
Search for package or bug name: Reporting problems