This update for flatpak fixes the following issues:
* CVE-2026-34078: Arbitrary code execution via crafted symlinks in sandbox-
expose options (bsc#1261769).
* CVE-2026-34079: Arbitrary file deletion on host via improper cache file path
validation (bsc#1261770).
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-1511=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1511=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1511=1
* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1511=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1511=1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* flatpak-debuginfo-1.12.8-150400.3.12.1
* flatpak-1.12.8-150400.3.12.1
* typelib-1_0-Flatpak-1_0-1.12.8-150400.3.12.1
* flatpak-zsh-completion-1.12.8-150400.3.12.1
* libflatpak0-1.12.8-150400.3.12.1
* libflatpak0-debuginfo-1.12.8-150400.3.12.1
* system-user-flatpak-1.12.8-150400.3.12.1
* flatpak-debugsource-1.12.8-150400.3.12.1
* flatpak-devel-1.12.8-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* flatpak-debuginfo-1.12.8-150400.3.12.1
* flatpak-1.12.8-150400.3.12.1
* typelib-1_0-Flatpak-1_0-1.12.8-150400.3.12.1
* flatpak-zsh-completion-1.12.8-150400.3.12.1
* libflatpak0-1.12.8-150400.3.12.1
* libflatpak0-debuginfo-1.12.8-150400.3.12.1
* system-user-flatpak-1.12.8-150400.3.12.1
* flatpak-debugsource-1.12.8-150400.3.12.1
* flatpak-devel-1.12.8-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* flatpak-debuginfo-1.12.8-150400.3.12.1
*...
Read the Full Advisory* bsc#1261769
* bsc#1261770
## References:
* https://www.suse.com/security/cve/CVE-2026-34078.html
* https://www.suse.com/security/cve/CVE-2026-34079.html
* https://bugzilla.suse.com/show_bug.cgi?id=1261769
* https://bugzilla.suse.com/show_bug.cgi?id=1261770
Get the latest Linux and open source security news straight to your inbox.