Flatpak allows malicious apps to delete any file on the computer

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.9

Flatpak allows malicious apps to delete any file on the computer

CVE-2026-40354

Summary

A security issue in Flatpak's file management system allows malicious apps to delete any file on the host computer. This could allow hackers to delete important system or user files, potentially causing data loss or system instability. Update to the latest version of Flatpak to fix this issue.

Original title

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

Original description

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

nvd CVSS3.1 2.9

Vulnerability type

CWE-61

https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4
https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1
https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf...
https://www.openwall.com/lists/oss-security/2026/04/10/14

Published: 11 Apr 2026 · Updated: 11 Apr 2026 · First seen: 11 Apr 2026