Debian Linux - evolution-data-server - None

Red Hat Enterprise Linux - evolution-data-server: Evolution Data Server: Arbitrary file deletion via inconsistent URI handling

Ubuntu Linux - insecure local cache file removal

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4503 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4503-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                    Thorsten Alteholz     March 19, 2026                                https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : evolution-data-server     Version        : 3.38.3-1+deb11u3     CVE ID         : CVE-2026-2604


    An issue has been found in evolution-data-server, an evolution database     backend server.
    A Flatpak application with D-Bus access to the addressbook service can     delete arbitrary files on the host, potentially including Flatpak override     files. This fix canonicalizes the file path before performing a prefix     comparison, ensuring that ../ sequences are resolved.



    For Debian 11 bullseye, this problem has been fixed in version     3.38.3-1+deb11u3.

    We recommend that you upgrade your evolution-data-server packages.

    For the detailed security status of evolution-data-server please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/evolution-data-server

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1451 advisory.

    The Evolution backend server exposes the D-Bus service org.gnome.evolution.dataserver.AddressBook, that     can be used in order to manage contacts. A Flatpak application with access to this D-Bus service can     exploit this issue in order to gain arbitrary file deletion on the host filesystem. (CVE-2026-2604)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of evolution-data-server installed on the remote host is prior to 3.28.5-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3179 advisory.

    The Evolution backend server exposes the D-Bus service org.gnome.evolution.dataserver.AddressBook, that     can be used in order to manage contacts. A Flatpak application with access to this D-Bus service can     exploit this issue in order to gain arbitrary file deletion on the host filesystem. (CVE-2026-2604)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0775-1 advisory.

    This update for evolution-data-server fixes the following issue:

    - CVE-2026-2604: arbitrary file deletion via inconsistent URI handling (bsc#1258307).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0776-1 advisory.

    This update for evolution-data-server fixes the following issue:

    - CVE-2026-2604: arbitrary file deletion via inconsistent URI handling (bsc#1258307).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8055-1 advisory.

    It was discovered that Evolution Data Server incorrectly handled removing local cache files. An attacker     could possibly use this issue to cause Evolution Data Server to remove arbitrary files.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The Evolution backend server exposes the D-Bus service org.gnome.evolution.dataserver.AddressBook, that     can be used in order to manage contacts. A Flatpak application with access to this D-Bus service can     exploit this issue in order to gain arbitrary file deletion on the host filesystem. (CVE-2026-2604)     (CVE-2026-2604)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
303078	Debian dla-4503 : evolution-data-server - security update	Nessus	Debian Local Security Checks	medium
301340	Amazon Linux 2023 : evolution-data-server, evolution-data-server-devel, evolution-data-server-langpacks (ALAS2023-2026-1451)	Nessus	Amazon Linux Local Security Checks	medium
301265	Amazon Linux 2 : evolution-data-server, --advisory ALAS2-2026-3179 (ALAS-2026-3179)	Nessus	Amazon Linux Local Security Checks	medium
300979	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : evolution-data-server (SUSE-SU-2026:0775-1)	Nessus	SuSE Local Security Checks	medium
300973	SUSE SLED15 / SLES15 Security Update : evolution-data-server (SUSE-SU-2026:0776-1)	Nessus	SuSE Local Security Checks	medium
299809	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : Evolution Data Server vulnerability (USN-8055-1)	Nessus	Ubuntu Local Security Checks	high
299230	Linux Distros Unpatched Vulnerability : CVE-2026-2604	Nessus	Misc.	high

Detections

Analytics

CVE-2026-2604

medium

Tenable Plugins

medium

medium

medium

medium

medium

high

high