CVE•Published 2026-04-07•Modified 2026-04-14•0 articles on news•6 live references•NVD data

CVE-2026-34080Flatpak · Xdg-dbus-proxy

Vulnerability data via NVD (ingested)

CVSS v3.1

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS percentile

—

Weaknesses (CWE)

CWE-1289Improper Validation of Unsafe Equivalence in Input

Description

xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7.

Timeline

Published 2026-04-07

Modified 2026-04-14

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-34080

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Flatpak Xdg-dbus-proxy"

All exposed Flatpak Xdg-dbus-proxy instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Xdg-dbus-proxy"

HTTP body or banner mentions "Xdg-dbus-proxy" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-34080