CVE-2026-39977

Name of the Vulnerable Software and Affected Versions flatpak-builder versions 1.4.5 through 1.4.7

Description flatpak-builder, a tool for building flatpaks from source, contains a flaw where the 'license-files' manifest key can be exploited to read arbitrary files from the host system and include them in the build output. This occurs because the validation of file paths does not fully resolve symlinks, allowing a crafted manifest and/or source to bypass security checks. The issue affects versions from 1.4.5 up to, but not including, 1.4.8.

Recommendations Update to flatpak-builder version 1.4.8 or later.