Low severity2.9NVD Advisory· Published Apr 11, 2026· Updated Apr 27, 2026

CVE-2026-40354

Description

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

Affected products

Flatpak/Xdg Desktop Portal2 versions
cpe:2.3:a:flatpak:xdg-desktop-portal:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:flatpak:xdg-desktop-portal:*:*:*:*:*:*:*:*range: <1.20.4
- cpe:2.3:a:flatpak:xdg-desktop-portal:1.21.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgjnvdVendor Advisory
github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4nvdProduct
github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1nvdProduct
www.openwall.com/lists/oss-security/2026/04/10/14nvdMailing List

News mentions

No linked articles in our index yet.

cvss	0.189
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000