PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2604 GNOME CVE debrief

A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files. The vulnerability requires D-Bus access and a specific set of circumstances to be exploited.

Vendor
GNOME
Product
evolution-data-server
CVSS
MEDIUM 5.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Users of GNOME evolution-data-server, particularly those using Flatpak applications with D-Bus access, should be aware of this vulnerability and take steps to mitigate its impact. This includes restricting D-Bus access to only necessary Flatpak applications and monitoring for any suspicious activity related to contact creation, modification, and deletion.

Technical summary

The flaw in evolution-data-server allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI can be stored without proper validation during contact creation or modification. When the contact is deleted, the URI is processed with a less strict check, potentially leading to the deletion of arbitrary files on the host filesystem. The vulnerability requires D-Bus access and a specific set of circumstances to be exploited.

Defensive priority

Medium priority should be given to patching this vulnerability, as it requires D-Bus access and a specific set of circumstances to be exploited.

Recommended defensive actions

  • Apply patches or updates provided by the GNOME project for evolution-data-server.
  • Restrict D-Bus access to only necessary Flatpak applications.
  • Monitor for any suspicious activity related to contact creation, modification, and deletion.
  • Implement additional security measures to protect sensitive files on the host filesystem.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-06-17T13:20:15.937Z and was last modified on 2026-06-17T16:14:51.680Z. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the GNOME project. Users should be cautious of potential directory traversal attacks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:15.937Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.