Back to Home

Flatpak CVE-2026-34078 Vulnerability: sandbox escape

Critical vulnerability CVE-2026-34078 in Flatpak allows app to escape sandbox via symlink in sandbox-expose. All versions up to 1.16.4 affected. Immediate update and audit of manifests recommended.

Flatpak vulnerability: full sandbox escape
Advertisement 728x90

Critical Flatpak CVE-2026-34078: Full Sandbox Escape via Symlink

Flatpak versions prior to 1.16.4 are vulnerable to CVE-2026-34078, allowing any application to escape its sandbox environment. An attacker creates a symlink within the sandbox-expose option, which Flatpak permits and mounts as an arbitrary path on the host system. The result? Full read/write access to the host filesystem and remote code execution under the host’s privileges.

Affected distributions include Fedora, Ubuntu, Linux Mint, and others. Upgrading to version 1.16.4 resolves the threat. The vulnerability was discovered by researchers at Codean Labs through analysis of the Flatpak Portal.

Exploitation Mechanism of CVE-2026-34078

The Flatpak Portal handles requests for access to host resources. In the sandbox-expose directive, applications can specify paths that may be symbolic links. The Portal follows these symlinks and mounts the target inside the sandbox.

Google AdInline article slot

Attack example:

  • The app creates a symlink: /tmp/evil -> /
  • It declares sandbox-expose=/tmp/evil in its manifest
  • The Portal mounts the root directory (/) into the sandbox
  • Full access to the host’s entire filesystem is granted

This leads to Remote Code Execution (RCE): the malicious app can write shell scripts to /bin or modify critical system files.

Full List of Fixed Vulnerabilities

Version 1.16.4 patches four issues:

Google AdInline article slot
  • CVE-2026-34078 (Critical): Sandbox escape via symlinks in sandbox-expose
  • CVE-2026-34079 (Moderate): Arbitrary file deletion on host
  • GHSA-2fxp-43j9-pwvc (Low): File read in system-helper context
  • GHSA-89xm-3j9-w3jg (Low): Cancellation of other users' pull operations

Trade-off: While the sandbox-expose mechanism simplifies DevOps workflows, it introduces a privilege escalation vector when handling malicious input.

System Check and Update Instructions

Check your current version:

flatpak --version

Update commands by distribution:

Google AdInline article slot
  • Fedora/RHEL: sudo dnf update flatpak
  • Ubuntu/Debian: sudo apt update && sudo apt upgrade flatpak
  • Arch: sudo pacman -Syu flatpak

Temporary mitigation (note: breaks portal-dependent apps):

sudo systemctl --global mask flatpak-portal.service
systemctl --user stop flatpak-portal.service

After updating, restart all Flatpak applications and services.

Production Impact and Containerization Comparison

In enterprise environments, Flatpak is widely used for desktop applications on Linux workstations. This vulnerability is equivalent to a container breakout in Docker without seccomp or AppArmor protections.

| Technology | Isolation Model | Equivalent Vulnerability |

|------------|------------------|----------------------------|

| Flatpak | Portal + namespaces | Symlink traversal |

| Snap | AppArmor + namespaces | None (strict profiles) |

| AppImage | None | No sandboxing |

| Docker | seccomp + namespaces | Mount escapes |

Performance: Flatpak incurs ~5–10% I/O overhead due to portal calls. In high-load scenarios like VDI farms, exploitation grants root access across all user sessions.

Key Takeaways

  • Any Flatpak app is exploitable—Flathub reviews do not protect against zero-day threats.
  • All distributions before 1.16.4 are affected—urgent patching required.
  • Disabling the Portal blocks the attack vector but breaks UX features like file dialogs and printing.
  • In production: audit sandbox-expose entries in manifests and monitor flatpak-portal logs.
  • Comparison: Snap with AppArmor offers stronger resistance to symlink-based attacks.

— Editorial Team

Advertisement 728x90

Read Next