CVE-2026-40354

NameCVE-2026-40354
DescriptionFlatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1132958

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xdg-desktop-portal (PTS)bullseye1.8.1-1vulnerable
bookworm1.16.0-2vulnerable
trixie1.20.3+ds-1vulnerable
forky, sid1.20.4+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xdg-desktop-portalsource(unstable)1.20.4+ds-11132958

Notes

[trixie] - xdg-desktop-portal <no-dsa> (Minor issue; can be fixed via point release)
[bookworm] - xdg-desktop-portal <no-dsa> (Minor issue; can be fixed via point release)
[bullseye] - xdg-desktop-portal <postponed> (Minor issue)
https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj
Search for package or bug name: Reporting problems