Home / mailings [USN-8287-1] XDG Desktop Portal vulnerability
Posted on 21 May 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8287-1
May 20, 2026
xdg-desktop-portal vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
Summary:
XDG Desktop Portal could be made to delete files.
Software Description:
- xdg-desktop-portal: A portal frontend service for Flatpak and other desktop containment frameworks
Details:
It was discovered that XDG Desktop Portal incorrectly handled
trashing files. A local attacker could possibly use this issue to
delete arbitrary files on the host file system via a symlink attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
xdg-desktop-portal 1.20.3+ds-1ubuntu1.1
xdg-desktop-portal-dev 1.20.3+ds-1ubuntu1.1
Ubuntu 24.04 LTS
xdg-desktop-portal 1.18.4-1ubuntu2.24.04.2
xdg-desktop-portal-dev 1.18.4-1ubuntu2.24.04.2
In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-8287-1
CVE-2026-40354
Package Information:
https://launchpad.net/ubuntu/+source/xdg-desktop-portal/1.20.3+ds-1ubuntu1.1
https://launchpad.net/ubuntu/+source/xdg-desktop-portal/1.18.4-1ubuntu2.24.04.2
--===============4617893016598254714==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
