Package: flatpak
Severity: minor
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
In Flatpak older than 1.16.4, a local user can obtain read access to any
file that is readable by the user account running flatpak-system-helper
(in Debian, this is the "_flatpak" user). A mitigation is that usually
that user account can only read files that are world-readable anyway,
and a further mitigation is that this is only possible if a system OCI
repository is configured (rarely done on non-Fedora systems).
No CVE ID has been allocated: it wasn't clear whether this is a security
vulnerability at all, or just a bug, but out of an abundance of caution
it went through the process for dealing with embargoed vulnerabilities.
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
