PatchSiren cyber security CVE debrief
CVE-2026-2604 GNOME CVE debrief
A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files. The vulnerability requires D-Bus access and a specific set of circumstances to be exploited.
- Vendor
- GNOME
- Product
- evolution-data-server
- CVSS
- MEDIUM 5.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
Users of GNOME evolution-data-server, particularly those using Flatpak applications with D-Bus access, should be aware of this vulnerability and take steps to mitigate its impact. This includes restricting D-Bus access to only necessary Flatpak applications and monitoring for any suspicious activity related to contact creation, modification, and deletion.
Technical summary
The flaw in evolution-data-server allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI can be stored without proper validation during contact creation or modification. When the contact is deleted, the URI is processed with a less strict check, potentially leading to the deletion of arbitrary files on the host filesystem. The vulnerability requires D-Bus access and a specific set of circumstances to be exploited.
Defensive priority
Medium priority should be given to patching this vulnerability, as it requires D-Bus access and a specific set of circumstances to be exploited.
Recommended defensive actions
- Apply patches or updates provided by the GNOME project for evolution-data-server.
- Restrict D-Bus access to only necessary Flatpak applications.
- Monitor for any suspicious activity related to contact creation, modification, and deletion.
- Implement additional security measures to protect sensitive files on the host filesystem.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-06-17T13:20:15.937Z and was last modified on 2026-06-17T16:14:51.680Z. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the GNOME project. Users should be cautious of potential directory traversal attacks.
Official resources
-
CVE-2026-2604 CVE record
CVE.org
-
CVE-2026-2604 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
-
Source reference
134c704f-9b21-4f2e-91b3-4a467353bcc0
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:15.937Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.