Package: flatpak
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Flatpak older than 1.16.4 has an issue in which one local user can
use the CancelPull method to cancel an ongoing download by a second
local user, preventing the second user from subsequently cancelling that
download. This is (at least arguably) a denial of service. No CVE ID has
been assigned: it was not clear whether this is really a security
vulnerability, or just a bug.
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
