Platform
linux
Component
xdg-desktop-portal
Fixed in
1.20.4
1.21.1
CVE-2026-40354 is a security vulnerability affecting xdg-desktop-portal, a component facilitating sandboxed application access to system resources. This flaw allows malicious Flatpak applications to bypass sandboxing restrictions and permanently delete files within the host system's file structure through a symlink attack. The vulnerability impacts versions 0.0.0 through 1.21.1, and a fix is available in version 1.21.1.
The core of this vulnerability lies in the improper handling of symbolic links within the xdg-desktop-portal's trash functionality. A malicious Flatpak application can create a symbolic link pointing to a sensitive file on the host system. When the application attempts to 'trash' this symbolic link, the portal incorrectly interprets it as a request to delete the target file, effectively granting the application unauthorized deletion privileges. This could lead to data loss, system instability, or even privilege escalation if critical system files are targeted. The blast radius extends to any files accessible by the user running the Flatpak application.
This vulnerability was publicly disclosed on 2026-04-11. There is currently no indication of active exploitation campaigns targeting CVE-2026-40354. The CVSS score of 2.9 indicates a low severity, suggesting a relatively low probability of exploitation in the wild. No public proof-of-concept exploits have been released at the time of writing.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40354 is to upgrade xdg-desktop-portal to version 1.21.1 or later. If an immediate upgrade is not feasible due to compatibility issues or system constraints, consider implementing stricter sandboxing policies for Flatpak applications. This could involve limiting the permissions granted to applications or restricting their access to sensitive directories. While a direct WAF rule is unlikely, monitoring for unusual file deletion activity within the user's home directory could provide an early warning sign. After upgrading, verify the fix by attempting to trash a symbolic link pointing to a test file; the portal should refuse the operation.
Update xdg-desktop-portal to version 1.20.4 or higher, or to version 1.21.1 or higher to mitigate the vulnerability. This update corrects a security flaw that allows Flatpak applications to trash files on the host system through a symbolic link attack. Ensure you update all systems that use xdg-desktop-portal.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40354 is a vulnerability in xdg-desktop-portal allowing Flatpak apps to delete host files via a symlink attack, impacting versions 0.0.0–1.21.1.
You are affected if you use xdg-desktop-portal versions 0.0.0 through 1.21.1 on a Linux system with Flatpak installed.
Upgrade xdg-desktop-portal to version 1.21.1 or later to resolve the vulnerability. Consider stricter Flatpak sandboxing policies as a temporary workaround.
There is currently no indication of active exploitation campaigns targeting CVE-2026-40354.
Refer to the official xdg-desktop-portal project website or relevant security mailing lists for the latest advisory information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.