CVE-2026-34079
Flatpak affected by arbitrary file deletion on the host filesystem
CVSS Score
7.5
EPSS Score
0.2%
EPSS Percentile
42th
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
| CWE | CWE-22 |
| Vendor | flatpak |
| Product | flatpak |
| Published | Apr 7, 2026 |
| Last Updated | Apr 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for flatpak flatpak
Be the first to know when new high vulnerabilities affecting flatpak flatpak are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
flatpak / flatpak
< 1.16.4