Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34078.json
https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg
https://bugzilla.redhat.com/show_bug.cgi?id=2456276
https://access.redhat.com/security/cve/CVE-2026-34078
https://access.redhat.com/errata/RHSA-2026:35843
https://access.redhat.com/errata/RHSA-2026:30901
https://access.redhat.com/errata/RHSA-2026:25381
https://access.redhat.com/errata/RHSA-2026:25068
https://access.redhat.com/errata/RHSA-2026:23420
https://access.redhat.com/errata/RHSA-2026:23419
https://access.redhat.com/errata/RHSA-2026:23418
https://access.redhat.com/errata/RHSA-2026:23417
https://access.redhat.com/errata/RHSA-2026:21757
Published: 2026-04-07
Updated: 2026-07-06
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: Critical
Base Score: 10
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: Critical
Base Score: 9.3
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Severity: Critical
EPSS: 0.00155